US Pat. No. 10,397,299

ADAPTIVE MULTI-CONTROL UNIT LOAD BALANCING IN A VOICE-OVER-IP SYSTEM

International Business Ma...

1. A computer program product for transferring, in response to a recommendation, from a first multi control unit (MCU) to a second MCU, hosting of a Voice over IP (VOIP) session, the VOIP session including connecting a plurality of conference devices, the computer program product comprising at least one computer-readable storage medium having program instructions embodied therewith, the program instructions executable by at least one adaptive MCU load balancer (AMLB) processor circuit to cause the at least one computer processor circuit to perform a method comprising:receiving, with the at least one AMLB processor, first MCU status information from the first MCU, the first MCU included in a plurality of MCUs within a VOIP system, the first MCU hosting the VOIP session, the first MCU status information associated with detected performance degradation of the first MCU;
receiving, with the at least one AMLB processor, second MCU status information from the second MCU, the second MCU included in the plurality of MCUs, the second MCU status information associated with performance of the second MCU;
determining, with the at least one AMLB processor, based at least in part on the first MCU status information and the second MCU status information, that a health score of the second MCU, calculated from the second MCU status information, indicates that hosting the VOIP session with the second MCU provides an improved VOIP Quality of Experience (QoE) metric, in comparison to a QoE metric associated with hosting the VOIP session with the first MCU;
communicating, with the at least one AMLB processor, based at least in part on the determining that the health score of the second MCU indicates that hosting the VOIP session with the second MCU provides an improved VOIP QoE metric, a recommendation, to an MCU switcher component, to transfer the VOIP session from the first MCU to the second MCU; and
transferring, with the MCU switcher component, in response to the MCU switcher component receiving the recommendation, the VOIP session from the first MCU to the second MCU, the transfer including connecting the plurality of conference devices to the VOIP session hosted by the second MCU.

US Pat. No. 10,397,298

METHOD AND SYSTEMS FOR OPTIMIZING BANDWIDTH UTILIZATION IN A MULTI-PARTICIPANT FULL MESH PEER-TO-PEER VIDEO SESSION

Polycom, Inc., San Jose,...

1. A method for optimizing bandwidth in a mesh system, comprising:initiating, at a bandwidth optimization module, a peer-to-peer conference with a plurality of remote devices, wherein a first device is assigned to a first quality list and a second device is assigned to a second quality list, wherein the first quality list indicates a first quality level and wherein the second quality list indicates a second quality level;
determining, during the peer-to-peer conference, that the second device satisfies conditions to be a member of the first quality list;
determining that a maximum number of members of the first quality list has been reached;
in response to determining that a maximum number of members of the first quality list has been reached, selecting the first device to be removed from the first quality list based on characteristics of the first device, wherein the members of the first quality list are listed in order of preference, and wherein the characteristics indicate that the first device is least preferable based on the order of preference of the first quality list;
removing the first device from the first quality list;
adding the second device to the first quality list; and
transmitting a request to the second device to receive a data stream at the first quality level.

US Pat. No. 10,397,297

METHOD AND APPARATUS FOR TRANSMITTING AND RECEIVING IMAGE DATA FOR VIRTUAL-REALITY STREAMING SERVICE

Samsung Electronics Co., ...

1. An apparatus for receiving image data for a virtual reality (VR) streaming service, the apparatus comprising:a transceiver; and
a processor configured to:
determine whether to perform an adaptive VR streaming service based on a bandwidth state; and
if it is determined to perform the adaptive VR streaming service, request image data for the adaptive VR streaming service based on pre-collected head tracking information and bandwidth information.

US Pat. No. 10,397,296

COMMENT LINK FOR SHARED STREAMING MEDIA CONTENT

SONY INTERACTIVE ENTERTAI...

1. A method for an authenticated user of an item of streaming content played on a first device to create a sharable clip of a portion of the content smaller than the whole of the item of content, comprising:using an interface on the first device to accept a first input from the authenticated user to define the clip;
using the interface on the first device to accept a second input from the authenticated user to create a comment for the clip;
creating an identifier for the clip, the identifier uniquely corresponding to the clip; and
sending the identifier and the comment from the first device to a second device of a second user in a form that includes a clickable link;
wherein the clip is streamed to the second device of the second user in response to receipt of a request generated based on the clickable link from the second device of the second user, independent of whether the second user is authorized to access the entire item of content; and
wherein the clickable link expires either after a predetermined time or after the clip has been played by the second user for a predetermined number of times.

US Pat. No. 10,397,295

PROCESSING CONTINUOUS MULTI-PERIOD CONTENT

Qualcomm Incorporated, S...

1. A method of sending media data, the method comprising:splitting, by a media server, main content of media data into a plurality of periods including a first period and a second period, wherein the first period and the second period are temporally sequential;
adding, by the media server, one or more synchronization points to the plurality of periods;
signaling, by the media server, information indicating that secondary media content is available for insertion between the first period and the second period; and
signaling, by the media server, a time indicator for each of the plurality of periods, wherein the time indicator defines one or more time characteristics for each of the plurality of periods.

US Pat. No. 10,397,294

BANDWIDTH ADAPTATION FOR DYNAMIC ADAPTIVE TRANSFERRING OF MULTIMEDIA

Dolby Laboratories Licens...

1. A method for controlling adjustment of quality level of media content adapted to be transferred over a network link, comprising:receiving, at a client device, an indication of availability that lists available content from one or more content sources, the indication of availability comprising at least: a description of two or more first quality level segments of a particular media content item and a description of two or more second quality level segments of the particular media content item, wherein at least one or more first quality level segments of the two or more first quality level segments represent a same content portion of the particular media content item as at least one or more second quality level segments of the two or more second quality level segments, wherein the two or more first quality level segments of the particular media content item require a first data rate, wherein the two or more second quality level segments of the particular media content item require a second data rate;
requesting, by the client device, from a content source of the one or more content sources selected from the indication of availability a first segment of the two or more first quality segments of the particular media content item;
receiving, at the client device, the first segment of the two or more first quality segments of the particular media content item over a network connection;
periodically measuring, by the client device, available bandwidth over the network connection;
based on the measurement of the available bandwidth, the client device requesting a next segment from a next content source to dynamically adapt to the measurement of available bandwidth by performing one of:
i) based on a determination by the client device that the available bandwidth is sufficient to accommodate the second data rate and the second data rate is greater than the first data rate, requesting, by the client device, from the next content source of the one or more content sources selected from the indication of availability, the next segment from the two or more second quality level segments;
ii) based on a determination by the client device that the available bandwidth is less than the first data rate and the second data rate is less than the first data rate, requesting, by the client device, from the next content source of the one or more content sources selected from the indication of availability, the next segment from the two or more second quality level segments; or
iii) else, requesting, by the client device, from the next content source of the one or more content sources selected from the indication of availability, the next segment from the two or more first quality level segments.

US Pat. No. 10,397,293

DYNAMIC CHUNKING FOR DELIVERY INSTANCES

Brightcove, Inc., Boston...

1. A method of providing media with a data network, the method comprising:receiving, from a client application via the data network, a request having a universal source locator (URL), wherein the URL includes information indicative of a requested media file;
in response to receiving the request:
determining one or more factors related to the request, wherein the one or more factors related to the request include historical data obtained from streaming media with the data network; and
determining, with a processor, a chunking strategy based on the historical data, wherein the chunking strategy is indicative of a format, a bit rate, or both;
generating an index file having information for streaming the requested media file via the data network, the information including:
a Universal Resource Indicator (URI) of a chunk for streaming the requested media file, and
information regarding one or more characteristics of the chunk to be used in the generation of the chunk,
wherein the index file is generated during playback of the requested media file by the client application, and the generating is based, at least in part, on the chunking strategy; and
making the index file available to the client application.

US Pat. No. 10,397,292

SYSTEMS, METHODS, AND MEDIA FOR DELIVERY OF CONTENT

DIVX, LLC, San Diego, CA...

1. A system for live streaming of content, the system comprising:an architecture comprising a hardware media encoder and a hardware management server connected via a communications network; wherein:
the media encoder is configured for real-time encoding and uploading a live content stream of a live event to a pool of content delivery networks for use in distributing the live content stream to a plurality of user equipment devices, wherein the pool of content delivery networks utilizes communication paths to stream the live content stream to the user equipment devices;
the management server is configured to:
maintain the pool of content delivery networks for use in distributing the live content stream, wherein each content delivery network of the pool of content delivery networks comprises load balancing servers, gateways, and storage servers connected via the communications network;
receive a request to stream the live content stream from a particular user equipment device, wherein the particular user equipment device has a first geographic location that is shared with a plurality of user equipment devices;
provide a listing of content delivery networks of the pool of content delivery networks to the media encoder, wherein the media encoder encodes and uploads a first fragment of the live content stream to the pool of content delivery networks;
provide, to the particular user equipment device, a manifest that identifies the pool of content delivery networks, wherein the particular user equipment device requests at least a portion of the live content stream from a first content delivery network from the pool of content delivery networks over a first distribution path;
determine whether a predetermined condition is satisfied, wherein the predetermined condition comprises whether a count of user equipment devices that are located at the first geographic location and are currently streaming the content from the pool of content delivery networks exceeds a threshold quantity of streaming user equipment devices;
when the predetermined condition is satisfied:
select an additional content delivery network from a set of available content delivery networks to add to the pool of content delivery networks based on a plurality of factors comprising at least:
 distance between a second geographic location corresponding to the additional content delivery network and geographic locations corresponding to content delivery networks within the pool of content delivery networks,
 latency along at least one different distribution path between the additional content delivery network and the particular user equipment device, and
 throughput for at least one different distribution path between the additional content delivery network and the particular user equipment device;
update the pool of content delivery networks to include the additional content delivery network, wherein the additional content delivery network comprises a load balancing server, a gateway, and a storage server connected via a communications network;
provide an updated listing of the updated pool of content delivery networks, including the additional content delivery network, to the media encoder, wherein the media encoder encodes and uploads a second fragment of the live content stream to the updated pool of content delivery networks, including the additional content delivery network, to stream the live content stream using a distribution path including the additional content delivery network from the updated pool of content delivery networks; and
provide, to the particular user equipment device, an updated manifest that identifies the additional content delivery network, wherein the particular user equipment requests at least a portion of the live content stream from the additional content delivery network.

US Pat. No. 10,397,291

SESSION-SPECIFIC STREAMING CONTENT REPLACEMENT

Twitch Interactive, Inc.,...

1. A computing system for live streaming video content replacement comprising:one or more processors; and
one or more memories having stored therein instructions that, upon execution by the one or more processors, cause the computing system perform operations comprising:
receiving information indicating one or more first characteristics associated with a first video player;
receiving information indicating one or more second characteristics associated with a second video player;
transmitting, to the first video player, first instructions to play a first portion of first live streaming video content, followed by second streaming video content, followed by a third portion of the first live streaming video content, wherein the second streaming video content replaces a second portion of the first live streaming video content, and wherein the second streaming video content is selected for the first video player based, at least in part, on the one or more first characteristics;
transmitting, to the first video player, the first portion of first live streaming video content, the second streaming video content, and the third portion of the first live streaming video content;
transmitting, to the second video player, second instructions to play the first portion of the first live streaming video content, followed by third streaming video content, followed by the third portion of the first live streaming video content, wherein the third streaming video content replaces the second portion of the first live streaming video content, and wherein the third streaming video content is selected for the second video player based, at least in part, on the one or more second characteristics; and
transmitting, to the second video player, the first portion of first live streaming video content, the third streaming video content, and the third portion of the first live streaming video content.

US Pat. No. 10,397,290

METHOD AND SYSTEM FOR SWITCHING AND SIMULTANEOUS REPLAY OF HOME MEDIA STREAMING

INTERDIGITAL CE PATENT HO...

1. A method for switching play of a media streaming, wherein a first device receives content from a source device via multicast to play, the method comprising:receiving a request to switch from the first device to a second device to play the content;
instructing the first device to unicast the content stored in the first device from a time-point of receiving the request to play the content at the second device;
retransferring via multicast the content from the source device to both the first device and the second device from the time-point;
instructing the second device to stop receiving the unicasted content from the first device when the retransferred content from the source device reaches a point in time of the content play that is synchronized with a same point in time of the content being played at the second device;
instructing the second device to start receiving and storing the retransferred content from the source device via multicast when the retransferred content reaches a point in time that is synchronized with the content unicasted from the first device and stored in the second device; and
when the content is played at the first device simultaneously with the second device, starting receiving and storing the retransferred content by the first device when the retransferred content reaches a point in time that is synchronized with the content stored in the first device.

US Pat. No. 10,397,289

HTTP LIVE STREAMING (HLS) VIDEO CLIENT SYNCHRONIZATION

ARRIS Enterprises LLC, S...

1. A method for delivering streaming media content from a streaming media server to at least two client devices through a common gateway so that the streaming media content is presented simultaneously by the client devices, comprising:(i) determining that a request received by the common gateway from a first client device is a request to receive from a streaming media server the streaming media content that is to be synchronized with a presentation of the streaming media content by a second client device that receives the streaming media content through the common gateway, the first and second client devices being of a common type that process streaming media in a common manner, wherein the streaming media content is live content streamed in accordance with HTTP Live Streaming (HLS);
(ii) sending the request from the gateway to the streaming media server;
(iii) responsive to the request from the gateway, receiving at the gateway an initial manifest associated with the streaming media content, the initial manifest including a sequence of media segment URLs indicating an ordering of the media segments that create a representation of a portion of the streaming media content;
(iv) sending one or more additional requests from the gateway to the streaming media server to receive an updated version of the initial manifest, the one or more additional requests being sent at time intervals that are less than a duration of the media segments in the initial manifest;
(v) forwarding the updated version of the initial manifest and not the initial manifest itself to the first client device immediately upon receiving the updated version of the initial manifest at the gateway, wherein delivery of the updated version of the initial manifest is delayed with a given delay to enable forwarding of the updated version of the initial manifest immediately;
(vi) receiving a request from the first client device to receive a selected media segment specified in the updated version of the initial manifest;
(vii) forwarding the request for the selected media segment to the server and receiving the selected media segment in response;
(viii) forwarding the selected media content to the first client device at a transmission rate greater than a rate at which the media segment plays out in real-time and less than a transmission rate available over a slower of a first or second transmission link, the first transmission link being between the gateway and the first client device and the second transmission link being between the gateway and the second client device, the transmission rate selected to create the given delay to enable synchronization of the media content to the first client device and the second client device; and
(ix) repeating steps (i)-(viii) for the second client device.

US Pat. No. 10,397,288

CLOUD STREAMING SERVICE SYSTEM, DATA COMPRESSING METHOD FOR PREVENTING MEMORY BOTTLENECKING, AND DEVICE FOR SAME

SK TECHX CO., LTD., Seou...

1. A cloud streaming server comprising:a capture unit configured to capture a cloud streaming service screen;
an encoding unit configured to load the captured cloud streaming service screen from a buffer for temporarily storing the captured cloud streaming service screen, and to encode the loaded cloud streaming service screen;
a communication unit configured to transmit the encoded cloud streaming service screen to a terminal device; and
a compression unit configured to determine whether a bottleneck occurs in the buffer, and to compress the cloud streaming service screen depending on a determination result.

US Pat. No. 10,397,287

AUDIO DATA TRANSMISSION USING FREQUENCY HOPPING

Microsoft Technology Lice...

1. A method comprising:obtaining data representing an ordered sequence of multiple characters;
determining a code for each character in the ordered sequence of multiple characters, wherein each character in the ordered sequence of multiple characters corresponds to a different code identifying the character and sequence position of the character in the ordered sequence of multiple characters;
identifying a set of audio frequencies for the ordered sequence of multiple characters, wherein each determined code corresponds to a different audio frequency and wherein each audio frequency uniquely indicates a combination of a respective character and a respective sequence position of the respective character; and
transmitting the set of audio frequencies to a receiver, wherein each respective audio frequency of the set of audio frequencies is used by the receiver to reconstruct the ordered sequence of multiple characters independent of a sequence of the transmitting of the set of audio frequencies.

US Pat. No. 10,397,286

ESTIMATING NETWORK DATA STREAMING RATE

1. A method, comprising:intercepting a data packet from a data streaming session conducted between a first device and a second device connected over a network;
calculating a size of a file segment from information contained in the data packet, wherein the file segment corresponds to a portion of an item of multimedia content being delivered via the data streaming session, wherein the size of the file segment is calculated as a total number of bytes delivered via the data streaming session divided by a total number of file segments delivered via the data streaming session; and
calculating an encoding rate of the data streaming session, based at least in part on the size of the file segment.

US Pat. No. 10,397,285

EARLY-MEDIA SERVICE CONTROL DEVICE, EARLY-MEDIA SERVICE CONTROL METHOD, AND STORAGE MEDIUM HAVING PROGRAM STORED THEREON

NEC CORPORATION, Tokyo (...

1. An early-media service control device comprising:a communication unit;
a resource reservation status determination unit that determines whether or not a value of a parameter indicating resource reservation status of a session-start-request-transmitting terminal device is a value indicating reserved, the parameter being included in a session start request transmitted by the session-start-request-transmitting terminal device and received by the communication unit, the session-start-request-transmitting terminal device being based on an early media scheme of starting early-media service execution with receipt of a calling-in-progress notification as one requirement;
a parameter value rewriting unit that, when the resource reservation status determination unit determines that the value of the parameter is a value indicating reserved, rewrites the value of the parameter to a value indicating resource unreserved;
a session start request transmission control unit that, when the resource reservation status determination unit determines that the value of the parameter is a value indicating reserved, controls the communication unit in such a way that the communication unit transmits, to a session-start-request-receiving network, a session start request in which a value of a parameter is rewritten by the parameter value rewriting unit, and when the resource reservation status determination unit determines that the value of the parameter is not a value indicating reserved, controls the communication unit in such a way that the communication unit transmits, to a session-start-request-receiving network, a session start request received from the session-start-request-transmitting terminal device; and
a calling-in-progress notification transmission control unit that, when the communication unit receives a response indicating resource reserved in a session-start-request-receiving terminal device, controls the communication unit in such a way that the communication unit transmits the calling-in-progress notification to the session-start-request-transmitting terminal device, the response being transmitted in response to the session start request transmitted to the session-start-request-receiving network by the communication unit.

US Pat. No. 10,397,283

USING SYMMETRIC AND ASYMMETRIC FLOW RESPONSE PATHS FROM AN AUTONOMOUS SYSTEM

Oracle International Corp...

1. One or more non-transitory machine readable media storing instructions, which when executed by one or more processors, cause:receiving, by a first gateway in an Autonomous System (AS), a first packet originating at a virtual machine that is internal to the AS and allocated to a particular tenant of a plurality of tenants of the AS,
wherein the first packet is to be transmitted out of the AS to an Internet address external to the AS,
wherein the Internet address external to the AS is accessible via a plurality of egress gateways in the AS, each of the plurality of egress gateways being configured for transmitting packets out of the AS to the Internet;
determining a plurality of dropped packet rates associated, respectively, with the plurality of egress gateways;
determining, based on a comparison of the plurality of dropped packet rates, that a first egress gateway of the plurality of egress gateways is associated with a lowest dropped packet rate of the plurality of dropped packet rates;
determining that a first packet priority associated with the first packet satisfies a threshold criterion;
based at least on (a) the first egress gateway being associated with the lowest dropped packet rate and (b) the first packet priority satisfying the threshold criterion: selecting, by the first gateway, the first egress gateway for transmission of the first packet out of the AS to the Internet;
encapsulating, by the first gateway, the first packet within a second packet addressed to the first egress gateway;
transmitting, by the first gateway, the second packet toward the first egress gateway;
prior to the first gateway receiving the first packet:
receiving, by the first gateway from the first egress gateway, a third packet encapsulating an inner fourth packet, wherein a header of the third packet identifies a destination in an overlay network for forwarding the fourth packet;
modifying a destination of the fourth packet to the destination in the overlay network identified in the header of the third packet, to obtain a fifth packet; and
transmitting the fifth packet by the first gateway to the destination in the overlay network.

US Pat. No. 10,397,282

PROVIDING SESSION INITIATION PROTOCOL REQUEST CONTENTS METHOD AND SYSTEM

BlackBerry Limited, Wate...

1. An Application Server (AS) for obtaining information regarding a first entity, the AS comprising:a processor configured to receive a session initiation protocol (SIP) message from a second entity, the SIP message including a first message that was received by the second entity from the first entity or a second message that was sent from the second entity towards the first entity,
wherein the processor is further configured to obtain the information that was included by the first entity from the first message or that was sent towards the first entity in the second message,
wherein at least one of the first message or the second message comprises a first request uniform resource identifier (Request URI), the first Request URI comprising a SIP registrar address, and wherein the SIP message comprises a second Request URI, the second Request URI comprising an address of the AS.

US Pat. No. 10,397,281

METHOD, SYSTEM AND SERVER FOR SELF-HEALING OF ELECTRONIC APPARATUS

Wistron Corporation, New...

1. A self-healing method of an electronic apparatus, adapted to execute self-healing when at least one component in an electronic apparatus is updated, and comprising:obtaining a clone of components installed in the electronic apparatus;
for each of the components in the clone:
in response to the component in the clone having an update, executing the update to the component in the clone; and
updating the component corresponding to the update in the electronic apparatus by using the clone in response to a sanity of the update being confirmed;
executing a self-diagnosis on the updated electronic apparatus to produce a diagnosis result;
obtaining at least one policy based on the diagnosis result for healing the electronic apparatus; and
transforming the at least one policy into at least one rule adapted for the electronic apparatus, and performing the self-healing according to the rules.

US Pat. No. 10,397,280

TECHNOLOGIES FOR SCALABLE SECURITY ARCHITECTURE OF VIRTUALIZED NETWORKS

Intel Corporation, Santa...

1. A computing node of a network functions virtualization (NFV) security architecture for managing security monitoring services of the NFV security architecture, the computing node comprising:one or more processors; and
one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the computing node to:
instantiate an NFV security services agent on a virtual network function (VNF) instance of the computing node, wherein the NFV security services agent has access to monitor and collect telemetry data associated with a service being performed by the VNF instance, and wherein the service being performed does not have access to the telemetry data collected by the instantiated NFV security services agent;
receive, by the NFV security services agent, via an NFV security services controller of the NFV security architecture, credentials usable to (i) securely package data and (ii) establish secure communication channels;
receive, by the NFV security services agent via the NFV security services controller, a security monitoring policy from an NFV services provider of a virtualization interface manager communicatively coupled to the NFV security services agent and the NFV security services controller, the security monitoring policy including monitoring rules usable to identify which telemetry data of the NFV security architecture is to be monitored;
monitor, by the NFV security services agent, in a secure environment of the computing node, telemetry data of the VNF instance based on the received security monitoring policy;
securely package, in the secure environment by the NFV security services agent and using the received credentials, at least a portion of the monitored telemetry data based on the received security monitoring policy;
establish, by the NFV security services agent and using the received credentials, a secure communication channel between the NFV security services agent and an NFV security monitoring analytics system of the NFV security architecture;
securely transmit, by the NFV security services agent and via the secure communication channel, the packaged telemetry data to the NFV security monitoring analytics system for analysis based on the received security monitoring policy;
apply a timestamp to the packaged telemetry data; and
transmit the timestamp with the packaged telemetry data.

US Pat. No. 10,397,279

DIRECTING AUDITED DATA TRAFFIC TO SPECIFIC REPOSITORIES

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method for auditing data traffic, the computer-implemented process comprising:monitoring data traffic on a network and collecting data access elements thereof;
comparing the collected data access elements to security rules;
sending a first audit data collection to a first repository based on a first security rule of the security rules,
wherein the first security rule:
defines a first condition based on a first data access element of the collected data access elements,
defines the first audit data collection,
designates the first audit data collection as a default audit data collection for a first user, and
designates the first repository as a default repository for the first user,
wherein the first audit data collection includes a second data access element of the collected data access elements and
wherein the sending occurs in response to one or more of the collected data access elements of a data access by the first user matching the first condition in the first security rule and the sending directs the first audit data collection to the first repository responsive to the designation of the first repository in the first security rule; and
sending, for the data access by the first user, a second audit data collection to a second repository based on a second security rule of the security rules,
wherein the second security rule:
defines a second condition based on a third data access element of the collected data access elements,
defines the second audit data collection and
designates the second repository as a repository for the second audit data collection,
wherein the second audit data collection includes a fourth data access element of the collected data access elements and
wherein the sending the second audit data collection to the second repository occurs in response to one or more of the collected data access elements of the data access by the first user matching the second condition in the second security rule and the sending the second audit data collection directs the second audit data collection to the second repository responsive to the designation of the second repository in the second security rule,
wherein the third data access element is different than the fourth data access element, and
wherein the third data access element is a database table name and the fourth data access element is an IP address from which the database table is accessed.

US Pat. No. 10,397,278

TRANSPARENTLY ENHANCED AUTHENTICATION AND AUTHORIZATION BETWEEN NETWORKED SERVICES

BanyanOps, Inc., San Fra...

1. A computer-implemented method for facilitating communication between a plurality of networked services, the method comprisingidentifying, at a first host system, a first service of the plurality of networked services;
deploying, to the first host system, a first agent associated with the first service, the first agent including one or more identity tokens associated with the first service and one or more access tokens associated with a second service of the plurality of networked services;
identifying, at the first agent, a communication transmitted from the first service and directed to the second service;
determining whether the communication includes a network request; and
on condition that the communication includes the network request, transparently injecting the one or more identity tokens into the communication for use in authenticating and authorizing the first service, and automatically transmitting the communication to the second service in accordance with one or more security policies associated with the one or more access tokens.

US Pat. No. 10,397,277

DYNAMIC DATA SOCKET DESCRIPTOR MIRRORING MECHANISM AND USE FOR SECURITY ANALYTICS

AVOCADO SYSTEMS INC., Sa...

1. A computer-implemented method, comprising:receiving, at a first host on which an application instance is operating, an application or data security policy for a first data socket descriptor indicating to perform one or more actions, the one or more actions including mirroring one or more payloads received or transmitted by the first data socket descriptor of the application instance; and
in response to the indication by the application and data security policy to perform the one or more actions, performing, by the application on the first host, the mirroring and at least one additional action selected from the group consisting of:
allow;
allow-and-analyze;
allow_analyze;
drop;
drop-and-analyze;
drop_analyze;
rate limit; and
combinations thereof;
wherein performing the additional action allow comprises allowing the application instance to receive a payload of a packet received via the first data socket descriptor;
wherein performing the additional action allow-and-analyze comprises:
allowing the application instance to receive the payload of the packet received via the first data socket descriptor; and
retaining statistics relating to the packet;
wherein performing the additional action allow analyze comprises:
allowing the application instance to receive the payload of the packet; and
mirroring the packet to an external security analytics application;
wherein performing the additional action drop comprises:
dropping the packet;
retaining statistics relating to the packet; and
logging the drop of the packet;
wherein performing the additional action drop-and-analyze comprises:
dropping the packet;
retaining statistics relating to the packet; and
mirroring the packet to the external security analytics application;
wherein performing the additional action drop analyze comprises:
dropping the payload of the packet; and
mirroring the packet to the external security analytics application; and
wherein performing the additional action rate limit comprises: limiting an amount of data transmitted via the first data socket descriptor based on the received application or data security policy.

US Pat. No. 10,397,276

SECURE ELEMENT MANAGEMENT METHOD AND TERMINAL

HUAWEI DEVICE CO., LTD., ...

1. A terminal, comprising:a processing circuit; and
at least two secure element interfaces, wherein
the processing circuit is connected to the at least two secure element interfaces, and
the processing circuit is configured to:
acquire identification information of a first secure element when the first secure element is connected to the secure element interfaces;
acquire preset identification information, wherein the preset identification information is used to identify an exclusive secure element that, when being connected to the terminal, is configured to operate while excluding any other secure element connected to the terminal from being accessed by an external device;
determine whether the identification information of the first secure element matches the preset identification information; and
in response to a determination that the identification information of the first secure element matches the preset identification information, set the first secure element to a normal working state, and set one or more other secure elements connected to the terminal to a non-normal working state,
wherein, when setting the first secure element to the normal working state, the processing circuit is configured to:
send an instruction to a near field communication (NFC) controller;
set the first secure element to an enabled state;
create a logical channel between the processing circuit and the NFC controller, wherein the logical channel is used for communication between the processing circuit and the first secure element; and
configure routing information of an application installed on the first secure element into a routing table of the NFC controller,
wherein the processing circuit is further configured to set the first secure element and the one or more other secure elements to the normal working state when the identification information of the first secure element does not match the preset identification information and identification information of the one or more other secure elements does not match the preset identification information.

US Pat. No. 10,397,275

CREATING AND USING REMOTE DEVICE MANAGEMENT ATTRIBUTE RULE DATA STORE

NICIRA, INC., Palo Alto,...

1. A method of processing rules at a network element, the method comprising:receiving a larger, first set of rules with each rule in the first set comprising a rule identifier
including a set of remote device management (RDM) attributes;
for a plurality of RDM attributes belonging to a plurality of rule identifiers of the first set of rules, generating an index structure that identifies the rules that are associated with the plurality of the RDM attributes;
in response to receiving from a remote device a data message associated with an RDM attribute set, using at the network element the index structure to identify, from the larger first set of rules, a smaller second set of rules that potentially match the data message by identifying and selecting for the second set of rules each rule in the first set that matches at least one RDM attribute of the RDM attribute set associated with the received data message;
comparing the RDM attribute set associated with the received data message with the RDM attribute set of at least one rule in the identified second rule set to determine that the rule matches the message and hence should be used to process the message; and
using the matching rule to perform a middlebox service operation on the message.

US Pat. No. 10,397,274

PACKET INSPECTION AND FORENSICS IN AN ENCRYPTED NETWORK

salesforce.com, inc., Sa...

1. A method comprising:providing, by a first computing device to a first node of a network, a request to access network traffic of the network;
in response to receiving access to the network traffic from the first node, writing, by the first computing device, first data from the network traffic to at least a first data store of a plurality of data stores in communication with the first computing device, the first data comprising first encrypted data and a first plurality of key exchange events;
receiving, by the first computing device, a request from a second computing device that is distinct from the first computing device to access encrypted data transmitted over the network;
in response to the receipt of the request from the second computing device, authenticating, by the first computing device, the second computing device;
identifying, by the first computing device based on a time range included in the request from the second computing device, a first portion of the first encrypted data and a first key exchange event of the first plurality of key exchange events;
calculating, by the first computing device, a first encryption key based on data included in the first key exchange event; and
providing, by the first computing device to the second computing device, the first encryption key and access to the first portion of the first encrypted data written on at least the first data store.

US Pat. No. 10,397,273

THREAT INTELLIGENCE SYSTEM

AMAZON TECHNOLOGIES, INC....

1. A system, comprising:one or more hardware computing devices in communication with a first electronic data store and configured to execute specific computer-executable instructions that upon execution cause the system to:
receive a request from a first user to deploy a sensor;
use information describing virtual machine images used by the first user to configure a first sensor;
cause the first sensor to be launched within a virtual network of the first user with a first network connection that facilitates communication between the first sensor and one or more remote endpoints outside of the virtual network;
receive first activity information sent by the first sensor;
combine the first activity information with activity information from a second sensor associated with a second user into third activity information;
identify an Internet Protocol (“IP”) address as being a suspected source of malicious computing activity using the third activity;
create threat information that includes the IP address as a suspected source of malicious computing activity; and
make the threat information available to the first user.

US Pat. No. 10,397,272

SYSTEMS AND METHODS OF DETECTING EMAIL-BASED ATTACKS THROUGH MACHINE LEARNING

CAPITAL ONE SERVICES, LLC...

1. A system comprising:at least one processor; and
at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to:
receive an email addressed to a user;
separate the email into a plurality of email components, the email components comprising a first link;
analyze, using machine-learning techniques, each of the plurality of email components, by:
virtually navigating to an end-point of the first link;
tracking re-routing by the first link between a starting point and the end-point;
receiving an automatic download triggered by the virtual navigation;
isolating the automatic download;
analyzing the automatic download; and
analyzing a content of the end-point; and
provide the analysis of each of the plurality of email components into a stacked ensemble analyzer; and
based on an output of the stacked ensemble analyzer, determine that the email is potentially malicious.

US Pat. No. 10,397,270

DYNAMIC SESSION RATE LIMITER

A10 Networks, Inc., San ...

1. A system for dynamically limiting new sessions, the system comprising:a processor configured to initiate a dynamic session rate limiter based on predetermined criteria;
the dynamic session rate limiter configured to:
dynamically ascertain a remaining session table capacity; and
dynamically limit acceptance of session requests for new sessions according to a function selected to negatively correlate a number of the new sessions and a number of sessions allowed to be established at a current time in accordance with the remaining session table capacity; and
a storage node configured to:
maintain a session table; and
store the remaining session table capacity associated with the session table.

US Pat. No. 10,397,269

SECURITY KEY DERIVATION IN DUAL CONNECTIVITY

Sun Patent Trust, New Yo...

1. A master base station apparatus, comprising:a receiver, which, in operation, receives from a secondary base station a change request of a secondary security key when a value of a COUNT exceeds a threshold value, wherein the secondary security key is a security key for the secondary base station;
control circuitry, which, in operation, increments a freshness counter and derives an updated secondary security key for the secondary base station by using the incremented freshness counter and a currently active security key of the master base station without refreshing the current active security key of the master base station; and
a transmitter, which, in operation, transmits the updated secondary security key to the secondary base station.

US Pat. No. 10,397,268

METHOD AND APPARATUS FOR PROVIDING NOTIFICATION OF DETECTED ERROR CONDITIONS IN A NETWORK

1. A first endpoint for managing a communication session, the first endpoint comprising:a processor; and
a non-transitory computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising:
detecting an error condition associated with the communication session, wherein the first endpoint and a second endpoint are participating in the communication session, wherein the error condition comprises an attack on the communication session, wherein the attack comprises an invalid re-anchor request;
sending a notification of the error condition to the second endpoint using a first transport layer session management message of a transport layer session, wherein the communication session includes the transport layer session, wherein a header of the first transport layer session management message includes a record type, wherein the record type indicates that a payload of the first transport layer session management message contains session management information; and
receiving a communication from the second endpoint via a second transport layer session management message of the transport layer session, the communication proposing a response to the error condition.

US Pat. No. 10,397,267

THREAT INTELLIGENCE SYSTEM AND METHOD

ReliaQuest Holdings, LLC,...

1. A computer-implemented method, executed on a computing device, comprising:importing threat data from a plurality of threat data sources, thus generating a plurality of raw threat data definitions, wherein the plurality of threat data sources includes social network trader sources, wherein importing threat data from a plurality of threat data sources includes defining a list of specific keywords and searching the social network trader sources for the specific keywords, wherein the list of keywords concern one or more of a specific type of attack, a specific company/organization targeted for an attack, and a specific known hacker;
processing the plurality of raw threat data definitions, thus generating a plurality of processed threat data definitions, wherein the plurality of raw threat data definitions include a plurality of data pieces with one or more of an age level and a trust level;
processing the plurality of processed threat data definitions to form a master threat data definition; and
providing the master threat data definition to one or more client electronic devices to enable the one or more client electronic devices to detect one or more threats, wherein providing the master threat data definition to one or more client electronic devices includes automatically providing at least a portion of the master threat data definition to the one or more client electronic devices using an Extract, Transform, Load (ETL) script.

US Pat. No. 10,397,266

VERIFYING THAT THE INFLUENCE OF A USER DATA POINT HAS BEEN REMOVED FROM A MACHINE LEARNING CLASSIFIER

SYMANTEC CORPORATION, Mo...

1. A computer-implemented method for verifying that influence of a user data point has been removed from a machine learning classifier, at least a portion of the method being performed by a network device comprising one or more processors, the method comprising:training, by a network device, a machine learning classifier using a training set of data points that includes a user data point;
calculating, by the network device, a first loss of the machine learning classifier;
updating, by the network device, the machine learning classifier by updating parameters of the machine learning classifier to remove influence of the user data point using an influence function without retraining the machine learning classifier;
calculating, by the network device, a second loss of the machine learning classifier;
calculating, by the network device using an influence function, an expected difference in loss of the machine learning classifier due to removal of the influence of the user data point from the machine learning classifier; and
verifying that the influence of the user data point has been removed from the machine learning classifier by determining, by the network device, that the difference between the first loss and the second loss is within a threshold of the expected difference in loss.

US Pat. No. 10,397,265

MITIGATING SECURITY VULNERABILITIES IN WEB CONTENT

SHAPE SECURITY, INC., Mo...

1. A computer system comprising:one or more hardware processors;
at least one memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors to:
receive source code corresponding to a web page requested by a client device from a server device;
process the source code to identify one or more specified resources that are accessed by the source code;
determine that a particular resource of the one or more specified resources is subject to a mixed content vulnerability, the mixed content vulnerability comprising the source code allowing use of an unsecure channel with respect to the particular resource;
in response to determining that the particular resource is subject to the mixed content vulnerability, modify the source code to specify a security directive instructing a browser on the client device to enforce the security directive when the source code is executed on the client device;
cause transmission of the modified source code to the client device.

US Pat. No. 10,397,264

DIGITAL DYE PACKS

PayPal, Inc., San Jose, ...

1. A system, comprising:a non-transitory memory; and
one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising:
receiving a user input from a user device in connection with conducting an electronic transaction;
determining that the user input comprises a modified identifier modified from an identifier associated with a user;
determining, from a plurality of identifier modifications, an identifier modification that corresponds to the modified identifier, wherein each identifier modification in the plurality of identifier modifications corresponds to an action;
obtaining, from the user device, external data representative of a context in which the user input was provided to the user device;
determining a risk associated with the transaction based on the identifier modification and the external data; and
tracking the electronic transaction based on the determined risk.

US Pat. No. 10,397,263

HIERARCHICAL PATTERN MATCHING FOR DEEP PACKET ANALYSIS

Futurewei Technologies, I...

1. An apparatus, comprising:a first content addressable memory (CAM) storing a substring of a string of a regular expression as a plurality of bits that are individually searchable;
a memory comprising executable instructions; and
one or more processors coupled to the memory wherein the one or more processors execute the instructions to:
receive a data packet comprising a plurality of bits;
search the received data packet at a first hierarchical level using, at least in part, the first CAM and compare in parallel the plurality of bits of the received data packet to the plurality of bits of the substring to determine whether the substring of the string of the regular expression exists in the received data packet;
search the received data packet at a second hierarchical level when the search of the received data packet at the first hierarchical level finds a match, to determine whether the string of the regular expression exists in the received data packet; and
transmit the received data packet to a next network element along an original path of the received data packet without searching the received data packet at a third hierarchical level when the search of the received data packet at the first or second hierarchical level does not find a match.

US Pat. No. 10,397,262

DEVICE, SYSTEM, AND METHOD OF DETECTING OVERLAY MALWARE

BIOCATCH LTD., Tel Aviv ...

1. A method comprising:automatically detecting that an overlay malware module is active on an electronic device having a touch-screen,
wherein the overlay malware module generates a malicious always-on-top masking layer that covers at least a portion of a content displayed by a victim application running on said electronic device;
wherein the detecting comprises:(a) generating a protective always-on-top layer which is transparent and non-visible to a human user;(b) automatically generating a non-human touch-event in a particular on-screen location of said touch-screen;(c) detecting whether or not said non-human touch-event was actually received at said protective always-on-top layer within M milliseconds of performing step (b);(d) if the detecting of step (c) indicates that said non-human touch-event was not received at said protective always-on-top layer within M milliseconds of performing step (b), then determining that said overlay malware module is active on the electronic device.

US Pat. No. 10,397,260

NETWORK SYSTEM

NIPPON TELEGRAPH AND TELE...

1. A network system, comprising:a communication apparatus located in a user's local network; and
a control apparatus, located outside the user's local network, that communicates with the communication apparatus via an external network, wherein
the communication apparatus comprises:
processing circuitry configured to implement
a communication control unit that controls communication going through the communication apparatus; and
a collection unit that forms partial information that is a part, but less than all, of information related to the communication based on a predetermined collection rule, and transmits the partial information to the control apparatus;
the control apparatus comprises:
processing circuitry configured to implement
an analysis unit that performs analysis by using the partial information received from the communication apparatus and determines whether or not the communication is abnormal;
a control determination unit that controls a communication route for the communication control unit such that the communication is transmitted from the communication apparatus to the control apparatus when the communication is determined to be abnormal by the analysis unit; and
an analyzing unit that determines whether or not the communication transmitted by the control of the communication route is malicious communication, and
the control determination unit further controls, when the communication is determined to be malicious communication by the analyzing unit, the communication control unit to restrict the malicious communication,
wherein
the analysis unit generates model information based on partial information received from a plurality of communication apparatuses and stores the model information in a memory, and
the analysis unit applies the model information to the analysis.

US Pat. No. 10,397,258

CONTINUOUS LEARNING FOR INTRUSION DETECTION

Microsoft Technology Lice...

11. A system for securing an online service provided over a network via a continuously learning model, the system comprising:a processor; and
a memory storage device, including instructions that when executed by the processor are operable to:
receive security signals from devices within the online service, the security signals associated with one or more network sessions;
extract feature vectors from each of the security signals, wherein a given feature vector provides numeric values representing a status of a given device from which a given security signal is received;
produce detection results for each of the feature vectors via associated predictive models, wherein a given detection result identifies whether the given security signal associated with a given network session is indicative of malicious or benign activity on the given device;
define a rolling window, wherein the rolling window includes a plurality of security signals and associated detection results that have been received within a timeframe from a current time;
produce a balanced training dataset for the rolling window, wherein to produce the balanced training dataset the system is further configured to:
identify an attack type of each of the security signals in the rolling window identified as being indicative of malicious activity;
increase a quantity of security signals identified with underrepresented attack types in the rolling window relative to security signals identified with overrepresented attack types; and
cross join the security signals identified as being indicative of malicious activity with security signals identified as being indicative of benign activity to produce attack scenarios for the rolling window; and
update, according to a machine learning algorithm, the associated predictive models based on the balanced training dataset.

US Pat. No. 10,397,257

MULTI-MODE BOUNDARY SELECTION FOR THREAT DETECTION IN INDUSTRIAL ASSET CONTROL SYSTEM

GENERAL ELECTRIC COMPANY,...

1. A system to protect an industrial asset control system, comprising:a plurality of real-time monitoring node signal inputs to receive streams of monitoring node signal values over time that represent a current operation of the industrial asset control system; and
a threat detection computer platform, coupled to the plurality of real-time monitoring node signal inputs and an operating mode classification database, including a storage medium with programming instructions and a computer processor to:
(i) receive the streams of monitoring node signal values,
(ii) receive a current operating mode of the industrial asset control system,
(iii) based on the current operating mode and information in the operating mode classification database, determine that a first operating mode group is a current operating mode group, the first operating mode group being selected from a set of potential operating mode groups, wherein the first operating mode group corresponds to a first plurality of different operating modes of the industrial asset control system and is associated with a first decision boundary separating a normal state from an abnormal state, and a second operating mode group corresponds to a second plurality of different operating modes of the industrial asset control system and is associated with a second decision boundary different than the first decision boundary,
(iv) based on the streams of monitoring node signal values, generate at least one current monitoring node feature vector,
(v) based on the current operating mode group, select the first decision boundary as an appropriate decision boundary,
(vi) compare the at least one generated current monitoring node feature vector with the first decision boundary, and
(vii) automatically transmit a threat alert signal based on a result of said comparison.

US Pat. No. 10,397,256

SPAM CLASSIFICATION SYSTEM BASED ON NETWORK FLOW DATA

Microsoft Technology Lice...

1. A computer-implemented method for sharing data between at least an email service provider and a cloud service provider in order to identify network spamming message patterns without accessing spamming message content, the method comprising:obtaining labels from messages associated with an email service provider, wherein the labels indicate for each message IP address how many spam and non-spam messages have been received;
obtaining network data features from a cloud service provider;
providing the labels and the network data features to a machine learning application, wherein the machine learning application identifies correlations between IP addresses associated with the labels and IP addresses associated with the network data features, the correlations being used to facilitate the machine learning application in generating a prediction model to detect spamming hosts that generate spamming messages;
generating the prediction model representing an algorithm for determining whether a particular set of network data features are spam or not; and
after an unlabeled message, which has not yet been characterized as spam or not as spam, is generated by a computing device of the cloud service provider and after the unlabeled message is received at a router of the cloud service provider in preparation for transmittal to a recipient computing device, applying the prediction model to the unlabeled message to determine whether the unlabeled message is spam or is not spam,
wherein the network data features from the cloud service provider include descriptors of connections between the computing device that generated the unlabeled message and the recipient computing device, the descriptors including information describing a source and destination IP address, source and destination ports, a protocol type, and a union of TCP flags.

US Pat. No. 10,397,255

SYSTEM AND METHOD FOR PROVIDING SECURITY IN A DISTRIBUTED COMPUTATION SYSTEM UTILIZING CONTAINERS

StackRox, Inc., Mountain...

1. A server, comprising:a processor; and
a memory connected to the processor, the memory storing instructions executed by the processor to:
collect operating signals from machines, wherein each operating signal characterizes the state or a change in operational state of a designated application operating within a designated container, wherein the designated container is an isolated process in user space designated by an operating system kernel, wherein the operational state includes characterization of system calls, function calls, network input and output, file reads and file writes for the designated application,
compare the operating signals to models that incorporate summarizations of data sets that represent observed benign operating signals and malicious operating signals for the designated application operating within the designated container, and
characterize risks associated with the operating signals.

US Pat. No. 10,397,254

METHOD AND SYSTEM OF MONITORING NETWORK

AJOU UNIVERSITY INDUSTRY-...

1. A method for monitoring a network, the method comprising:a first packet detouring process of, with respect to a first packet transmitted to a monitoring target apparatus from a higher network apparatus, converting, by a first server, the first packet transmitted from the higher network apparatus to the monitoring target apparatus into a predetermined communication protocol and transmitting the converted first packet to a first client through a first communication connection, the first communication connection being a communication connection between the first server and the first client connected to the network, inversely converting, by the first client, the converted first packet into the protocol used in the network to acquire the first packet and transmitting the acquired first packet to a second client through the network, converting, by the second client, the received first packet into the predetermined communication protocol and transmitting the converted first packet to a second server through a second communication connection, and inversely converting, by the second server, the received converted first packet to acquire the first packet and transmitting the acquired first packet to a lower network apparatus; and
a second packet detouring process of, with respect to a second packet transmitted to the monitoring target apparatus from the lower network apparatus, converting, by the second server connected to the network, the second packet to the predetermined communication protocol and transmitting the converted second packet to the higher network apparatus by detouring a path on which the second packet is transmitted to the higher network apparatus through the monitoring target apparatus by using the second communication connection distinguished from the network.

US Pat. No. 10,397,253

COGNITIVE AND CONTEXTUAL DETECTION OF MALICIOUS DNS

INTERNATIONAL BUSINESS MA...

1. A method comprising:constructing, from a record of a packet in a Domain Name System (DNS) communication between a DNS client and a DNS server, an input feature;
computing, using the packet, a metadata item supporting the input feature;
computing a set of weights corresponding to a set of nodes in a recurrent neural network (RNN) by passing a term and a set of words to a function, wherein the term and the set of words are parsed from a payload of the record in the packet;
applying the set of weights to the set of nodes in the RNN to output an entity of the term, a co-reference of the term, and a class of the term;
computing a confidence value corresponding to the entity of the term, the co-reference of the term, or the class of the term;
classifying, using a processor and a memory to execute a cognitive classification model, and by supplying the input feature and the metadata item as inputs to the cognitive classification model, a transmission of the packet as malicious use of DNS tunneling between the DNS client and the DNS server, the classifying using the confidence value and one of the entity of the term, the co-reference of the term, or the class of the term;
outputting, from the cognitive classification model, a classification of the packet as malicious, and the confidence value in the malicious classification; and
causing, by generating a notification, the DNS client to cease the malicious use of the DNS tunneling.

US Pat. No. 10,397,252

DYNAMIC DETECTION OF UNAUTHORIZED ACTIVITY IN MULTI-CHANNEL SYSTEM

Bank of America Corporati...

1. A dynamic unauthorized activity detection computing platform, comprising:at least one processor;
a communication interface communicatively coupled to the at least one processor; and
memory storing computer-readable instructions that, when executed by the at least one processor, cause the dynamic unauthorized activity detection computing platform to:
receive first data from a first communication channel;
format the first data received from the first communication channel;
analyze the formatted first data received from the first communication channel to identify a first occurrence of triggering content;
receive second data from a second communication channel different from the first communication channel;
format the second data received from the second communication channel;
analyze the formatted second data received from the second communication channel to identify a second occurrence of triggering content;
evaluate, based on one or more machine learning datasets, the first occurrence of triggering content and the second occurrence of triggering content to determine whether triggering content of the first occurrence, in combination with triggering content of the second occurrence, indicates unauthorized activity;
responsive to determining that the triggering content of the first occurrence in combination with the triggering content of the second occurrence indicates unauthorized activity, modifying operation of at least one of the first communication channel and the second communication channel; and
responsive to determining that the triggering content of the first occurrence in combination with the triggering content of the second occurrence does not indicate unauthorized activity, receive subsequent data from at least one of the first communication channel and the second communication channel.

US Pat. No. 10,397,251

SYSTEM AND METHOD FOR SECURING AN ELECTRONIC CIRCUIT

1. A system for securing an electronic circuit comprising:plural regions, activity of which may be individually controlled;
a plurality of sensors integrated into the electronic circuit, each sensor being sensitive to variations in manufacturing process and configured to provide a measurement representative of a local activity of the electronic circuit;
a processor comprising an integrity verification circuit configured to:
deactivate all regions of the electronic circuit and make an acquisition of the measurements supplied by the sensors;
activate a single region of the electronic circuit one by one, and make an acquisition of the measurements supplied by the sensors;
for each region, and for each sensor, compare the measurement made by the sensor when only the region is activated with the measurement made by the sensor when all of the regions are deactivated;
determine, from the compared measurements, and for each of the regions, a partition of the sensors between sensors affected and sensors not affected by an activation of the region;
compare each of the partitions with a model partition to detect possible presence of a hardware Trojan horse liable to infect the electronic circuit.

US Pat. No. 10,397,250

METHODS FOR DETECTING REMOTE ACCESS TROJAN MALWARE AND DEVICES THEREOF

F5 Networks, Inc., Seatt...

1. A method for detecting remote access trojan (RAT) malware implemented by a network traffic management system comprising one or more security management apparatuses, server devices, or client devices, the method comprising:retrieving a web page from a server in response to a request for the web page received via one or more communication networks from a client;
injecting RAT malware detection client-side source code into the web page and sending the web page via the communication networks to the client, wherein the RAT malware detection client-side source code is configured to:
monitor one or more key press events, to determine when one or more of the key press events are not preceded by a key down event or followed by a key up event, or monitor executing animations, to determine when more than one instance of a web browser of the client is active, and
output an alert when a possible network attack is detected based on the monitoring of the key press events or the monitoring of the executing animations;
determining when another alert has been received via the communication networks from the client; and
initiating a security action with respect to network traffic associated with the client according to an established policy, when the determination indicates that the another alert has been received via the communication networks from the client.

US Pat. No. 10,397,249

INTRUSION DETECTION BASED ON LOGIN ATTEMPTS

salesforce.com, inc., Sa...

1. A system comprising:one or more processors; and
a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to:
identify an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers;
determine a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers;
determine a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server;
determine one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period;
determine an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and
cause an alert to be outputted in response to a determination that the outlier score satisfies a threshold.

US Pat. No. 10,397,248

METHOD AND APPARATUS FOR MONITORING NETWORK

FUJITSU LIMITED, Kawasak...

1. A network monitoring apparatus, comprising:a memory; and
a processor configured to use the memory and execute a process, the process comprising:
specifying, for each of a plurality of packet groups and from the plurality of packet groups, a feature value relating to a targeted attack, wherein each of the plurality of packet groups includes a plurality of packets that were communicated between an internal terminal and an external terminal on a connection between the internal terminal and the external terminal;
calculating, for the plurality of packet groups, a value of a standard deviation of feature values specified for the plurality of packet groups;
determining whether the calculated value is equal to or greater than a predetermined threshold value as an indication of the targeted attack; and
outputting an alert regarding the targeted attack, after determining that the calculated value is equal to or greater than the predetermined threshold value,
wherein the feature value includes at least one of a number of packets included in a packet group of the plurality of packet groups, a size of one or more packets included in the packet group, a time interval between the packet group and another packet group immediately before the packet group, and a value related to contents of data part of the plurality of packets included in the packet group,
wherein the calculating is executed, when an IP address of a connection source of the connection is an IP address in an internal network, an IP address of a connection destination of the connection is an IP address in an external network, and a port number of the connection destination of the connection is a port number representing access to a web server.

US Pat. No. 10,397,247

SMART INTRUSION PREVENTION POLICY

International Business Ma...

1. A method for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the method comprising:determining, by one or more computer processors, whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection;
responsive to determining that the new connection is detected, adding, by one or more computer processors, a connection context associated with the new connection to a current connection context in a dynamic event table,
wherein: the connection context is based on one or more of: an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity and is associated with a respective data packet, and wherein each event in the listing of two or more events is retrieved from a repository; calculating, by one or more computer processors, a score for each event of two or more events in the dynamic event table based on the current connection context;
generating, by one or more computer processors, an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order;
performing, by one or more computer processors, a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and
responsive to determining that a signature was found for an event among the two or more events, preventing, by one or more computer processors, intrusion of the data packet associated with the event.

US Pat. No. 10,397,246

SYSTEM AND METHODS FOR MALWARE DETECTION USING LOG BASED CROWDSOURCING ANALYSIS

Radware, Ltd., Tel Aviv ...

1. A crowdsourcing log analysis system for protecting a plurality of client networks from security threats, each of said plurality of client networks is associated with a set of network entities, said crowdsourcing log analysis system comprising:a plurality of server machines, each of said plurality of server machines comprising logic configured to execute a third-party security product and log associated third-party assessment attributes of at least one suspect entity into at least one log file; and
each of said plurality of client networks comprising logic configured to connect with at least one of said plurality of server machines to receive at least one log file;
at least one breach detection platform comprising logic configured to receive a plurality of log files from said plurality of client networks via a communication network, said at least one log file being one of the plurality of log files;
wherein said crowdsourcing log analysis system is configured to generate a risk factor for said at least one suspect entity based upon at least a plurality of said third party assessment attributes; and
wherein said crowdsourcing log analysis system causes blocking of communication for said at least one suspect entity based upon at least said risk factor being indicative of said at least one suspect network entity being a security threat.

US Pat. No. 10,397,245

INTERFACE WITH SECURE INTERMEDIARY PLATFORM TO GENERATE DATA COMPATIBLE WITH AN EXTERNAL SYSTEM IN AN OIL AND GAS ASSET SUPPLY CHAIN

SICPA HOLDING SA, Prilly...

1. A method of generating data in an oil and gas supply chain for compatibility with external systems, comprising:receiving data associated with the oil and gas assets, the data collected from at least one of an industrial control system, a first set of sensors and data collectors located along the oil and gas supply chain, wherein at least part of the data is received from at least one of a secure/trusted sensor and a secure/trusted industrial control system (ICS) which are connected with the first set of sensors and data collectors and which securely collect and verify the data from the first set of sensors and data collectors and digitally secure the verified data, wherein the at least one of a secure/trusted sensor and a secure/trusted ICS is protected from at least one of tampering, injection of unwanted data and unauthorized access;
storing the received data in a secure intermediary platform comprising at least one software component and being protected from at least one of tampering, injection of unwanted data and unauthorized access; and
adding attributes to the stored data using a business rules engine to create enhanced data, wherein the additional attributes of the enhanced data include at least one secure attribute allowing detection of modification or corruption of the enhanced data and authentication of the enhanced data.

US Pat. No. 10,397,244

SYSTEM AND METHOD FOR DETECTING ATTACK WHEN SENSOR AND TRAFFIC INFORMATION ARE INCONSISTENT

TOYOTA JIDOSHA KABUSHIKI ...

1. A system for detecting an attack, comprising a server and a plurality of vehicles capable of wirelessly communicating with each other,each of the plurality of vehicles including:
a sensor; and
a vehicle processor configured to act as:
a sensor information acquisition interface adapted to acquire sensor information from the sensor; and
a traffic information reception interface adapted to receive traffic information through wireless communication, wherein the traffic information is information that describes a road condition around the vehicle and is sent from an outside of the vehicle,
wherein a cryptographic processor is configured to verify electronic signature data of the received traffic information and detect invalid traffic information using signature information notified from the server; and
a transmitter adapted to transmit the sensor information and the traffic information to the server, and
the server including:
a server processor configured to act as:
a specification controller to specify to at least any of the plurality of vehicles signature information indicating the characteristics of the invalid traffic information
a reception controller adapted to receive the sensor information and the traffic information from at least any of the plurality of vehicles;
a verification controller adapted to verify whether the sensor information and the traffic information are inconsistent with each other, the sensor information and the traffic information determined to be inconsistent with each other when the road condition indicated by the traffic information and a road condition derived from the sensor information do not match; and
a notification controller adapted to notify, when the sensor information and the traffic information are inconsistent with each other, at least any of the plurality of vehicles of the inconsistency between the sensor information and the traffic information.

US Pat. No. 10,397,243

CONDITION CHECKING FOR PAGE INTEGRATION OF THIRD PARTY SERVICES

SAP SE, Walldorf (DE)

1. A system comprising:at least one processor; and
instructions that, when executed by the at least one processor, cause the at least one processor to provide:
a widget generator configured to provide, to a browser application, a functionally disabled widget in conjunction with downloading, by the browser application, of an untrusted third party page that specifies the widget for inclusion in the untrusted third party page; and
a protection manager configured to provide, to the browser application, in conjunction with the widget generator providing the widget, a protection script instance for inclusion within the widget, the protection script instance being executable within a page context of the untrusted third party page, the page context being separate from a widget context of the widget,
wherein the protection script instance requests execution within the page context of the untrusted third party page to determine whether a condition associated with a frame node of a document object mode (DOM) of the widget has been met, and sends an authenticated POST message to enable the widget when the condition is met, and to exclude the widget from the untrusted third party page or keep the widget disabled when the condition is not met, wherein the condition includes a visibility condition requiring that the widget be visible within the page when rendered, wherein a change monitor is configured to continuously monitor the visibility condition after an initial determination by a condition inspector and prevent alteration of the visibility condition upon detection of execution of a malicious page violating the visibility condition, the condition inspector is configured to modify the visibility condition in response to the execution of the malicious page.

US Pat. No. 10,397,242

ENHANCING INTEGRITY OF DATA CENTER SPECIFIC INFORMATION

NOKIA SOLUTIONS AND NETWO...

1. A method comprising:receiving, by an apparatus of a data center, a request message from an on-line server computer of the data center, wherein on-line refers to a working mode where a cloud-based software application of a customer is running and providing an intended service, the apparatus and the server computer being physically separate entities communicatively coupled with each other, said message requesting data center specific information stored in a memory area of the apparatus;
initiating, by the apparatus, deciphering of the request message in response to receiving the request message; and
as a response to successfully deciphering the request message, transmitting, by the apparatus, a response message to the server computer, said message comprising the data center specific information acquired from the memory area of the apparatus,
the data center specific information comprising at least one of a jurisdiction identifier, a data center identifier uniquely identifying the data center, and pre-stored geolocation data, the data center specific information being stored in a read-only memory area of the apparatus, the read-only memory being a write once memory area before the data center specific information is stored in said memory,
wherein the data center comprises a plurality of on-line server computers each communicatively coupled with the apparatus, the apparatus configured to provide said data center specific information to each of the plurality of server computers.

US Pat. No. 10,397,240

VERSATILE AUTOSCALING FOR CONTAINERS

Amazon Technologies, Inc....

1. A system, comprising:a scaling service that includes one or more processors and first memory including first instructions that, as a result of execution by the one or more processors, cause the scaling service to:
register, as a scalable target, a scalable dimension of a resource of a resource service, the resource service comprising a software container service, a database service, or a messaging service;
in response to receipt of a notification associated with a stored policy, wherein the policy includes a set of parameters and a scaling action to perform to the scalable target, the policy specifying, in the set of parameters, a security role that authorizes fulfillment of requests:
obtain the policy from storage;
submit a first request to a resource service, the first request being a request to perform the scaling action to the scalable target in accordance with the set of parameters;
submit a second request to the resource service, the second request being a request for data from which a determination can be made whether the scalable target has been scaled in accordance with the policy; and
determine, based at least in part on a response to the second request, whether the first request has been fulfilled; and
the resource service that includes one or more processors and second memory including second instructions that, as a result of execution by the one or more processors, cause the resource service to:
initiate performance of the scaling action in accordance with the set of parameters; and
submit, to the scaling service, the response that includes the data.

US Pat. No. 10,397,239

SECURE ACCESS TO CLOUD-BASED SERVICES

MOBILE IRON, INC., Mount...

1. A method to provide secure mobile access to a cloud-based service, comprising:receiving, at a security proxy, credential information from the cloud-based service, wherein the credential information is extracted, by the cloud-based service, from a synthesized basic authentication header, wherein the synthesized basic authentication header includes a hash of information obtained from a security certificate that was provided from a mobile device to the security proxy, wherein the synthesized basic authentication header is provided from the security proxy to the cloud-based service;
using the extracted credential information to determine that access to the cloud-based service is authorized for the mobile device; and
providing to the cloud based service a security token that indicates the mobile device is authorized to access the cloud-based service.

US Pat. No. 10,397,238

SYSTEMS AND METHODS FOR MANAGING ELECTRONIC TOKENS FOR DEVICE INTERACTIONS

Capital One Services, LLC...

1. A device, comprising:one or more processors; and
a non-transitory memory containing instructions that when executed by the one or more processors cause the device to perform operations comprising:
installing a token generation application received from a token server, the token generation application being a web browser application;
linking the installed token generation application to an account managed by the token server by transmitting information identifying the installed token generation application to the token server;
displaying an interface including a control panel for configuring the token generation application, wherein:
the control panel comprises a switch for activating or deactivating a plurality of tokens, the tokens being linked to the account;
the interface further includes one or more settings for one of more restrictions on continued usage of the tokens; and
the one or more restrictions can be both applied to and removed from activated ones of the tokens at any time;
initiating, using the token generation application, generation of a first one of the tokens, the first one of the tokens comprising a pointer to the account according to configuration information received through the interface, the first one of the tokens being specific to a designated merchant; and
providing the first one of the tokens to a server of the designated merchant to complete a transaction with the merchant, wherein authorization of the transaction initiated using the first one of the tokens will be denied if received from a merchant other than the designated merchant, and further wherein authorization of the transaction initiated using the first token will be denied if received from a browser other than a provisioned browser.

US Pat. No. 10,397,237

AUTOMATICALLY PROVISIONING NEW ACCOUNTS ON MANAGED TARGETS BY PATTERN RECOGNITION OF EXISTING ACCOUNT ATTRIBUTES

International Business Ma...

10. An apparatus, comprising:a processor;
computer memory holding computer program instructions executed by the processor to reduce risk associated with recertification of an account having an access entitlement, the computer program instructions comprising:
program code operative to retrieve a set of existing account information belonging to respective user accounts of a first set of users;
an attribute pattern discovery component to perform pattern matching on the retrieved set of existing account information to discover attribute patterns in the retrieved set of existing account information, wherein a first pattern matching process extracts user attribute information in the retrieved set of existing account information and a second pattern matching process discovers at least a first attribute pattern within the extracted user attribute information;
program code operative to generate an account template according to the first discovered attribute pattern;
program code operative to use the generated account template to create a new account on the first target for a first user, the first user not a member of the first set of users; and
program code operative to grant the first user access to the first target using the created new account.

US Pat. No. 10,397,236

ANAMOLY DETECTION AND RECOVERY OF A CORRUPTED COMPUTING RESOURCE

Amazon Technologies, Inc....

1. A method of detecting corruption of a resource in a compute service provider environment, the method comprising:generating one or more profiles including resource profiles or user profiles;
setting one or more thresholds representing an acceptable deviation from the one or more profiles;
receiving a request to delete data within the compute service provider;
marking the data as deleted, without releasing the data for reuse, but rejecting requests for access to the data so that it appears to a customer as though the data is deleted, wherein the data is associated with a resource in the compute service provider environment and the marking of the data results in the resource being unavailable to the customer to access and being unavailable for reuse within the compute service provider environment;
searching through log data for requests to delete data;
detecting the request to delete the data and determining whether the request exceeds the one or more thresholds associated with the profiles;
transmitting an alert to the customer informing the customer of the request to delete the data; and
restoring the data at the customer's request by removing the marking.

US Pat. No. 10,397,235

EVENT PROCESSING VIA INDUSTRIAL ASSET CLOUD COMPUTING SYSTEM

General Electric Company,...

1. A method comprising:receiving, at a server computer associated with an industrial asset cloud computing system, a command representing an event, from a mobile device of a plurality of mobile devices, the command comprising instructions for changing a data object in a data domain;
determining, by the server computer, that a session is established that is associated with the mobile device;
storing, by the server computer, the command in a cache associated with the server computer;
determining, by the server computer, a command processor responsible for processing the command;
routing, by the server computer, the command to the command processor responsible for processing the command, wherein the command processor accesses the data domain associated with the command to change the data object in the data domain according to the instructions of the command;
detecting, by the server computer, a state change in the data domain indicating that the data object has been changed;
storing, by the server computer, the changed data object in the cache associated with the server computer; and
preparing, by the server computer, the changed data object to be consumed by mobile devices operated by users authorized to access the data object such that the mobile devices receive the changed data object and the data is updated on local databases of the mobile devices.

US Pat. No. 10,397,233

METHOD AND APPARATUS FOR CREDENTIAL HANDLING

BOMGAR CORPORATION, Ridg...

1. A method comprising:receiving, via a privileged access management (PAM) appliance that provides remote control of an endpoint device by an accessor device, an access request from the accessor device to access the endpoint device, wherein the endpoint device is selected from among a plurality of endpoints, and wherein the PAM appliance manages access rights to the plurality of endpoint devices;
querying, via the PAM appliance, a credential manager for credential information available for the accessor device to access the endpoint device; and
transmitting, via the PAM appliance, the credential information to an endpoint client of the endpoint device to log the accessor device into the endpoint device,
wherein a secure connection is established via the PAM appliance to provide remote support service to the endpoint device by a support representative associated with the accessor device.

US Pat. No. 10,397,232

CONTROLLING USER ACCESS TO COMMAND EXECUTION

Amazon Technologies, Inc....

1. A computer-implemented method comprising:receiving, by a shell aggregator executing on one or more computing systems, a request from a user indicating a command to be executed by each of a plurality of computing nodes that are provided by a network-accessible service for use by the user and that are each executing one or more programs on behalf of the user, wherein execution of the command by each corresponding computing node of the plurality of computing nodes causes each corresponding computing node to gather information regarding itself;
determining, by the shell aggregator and based at least in part on permissions information stored externally to the plurality of computing nodes, that the user is authorized to have the command be executed by each of the plurality of computing nodes;
initiating, by the shell aggregator and in response to the determining, execution of the command by each of the plurality of computing nodes to gather the information, including:
executing the command by a first computing node of the plurality of computing nodes for the user; and
denying execution of the command for the user by a second computing node of the plurality of computing nodes based on additional security information stored locally on the second computing node;
receiving, by the shell aggregator, results including the gathered information from the execution of the command by each of the plurality of computing nodes;
aggregating, by the shell aggregator, the received results to generate aggregated results; and
returning the aggregated results to the user.

US Pat. No. 10,397,231

DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES

Intel Corporation, Santa...

1. A computing system comprising:network circuitry to access program code from a network;
a storage device to store instructions; and
processor circuitry to execute the instructions to:
determine a level of trust for the program code;
based on the level of trust for the program code, assign at least one of a plurality of containers to store the program code from the network, a first container of the plurality of containers associated with a first level of trust, a second container of the plurality of containers associated with a second level of trust, the second level of trust different from the first level of trust; and
allocate compute resources to execute the program code based on which one of the at least one of the plurality of containers is assigned to store the program code.

US Pat. No. 10,397,230

SERVICE PROCESSOR AND SYSTEM WITH SECURE BOOTING AND MONITORING OF SERVICE PROCESSOR INTEGRITY

International Business Ma...

1. A service processor, comprising:a processor;
a memory coupled to the processor and comprising instructions for executing an operating system kernel having an integrity management subsystem;
secure boot firmware;
an event log storage; and
a tamper-resistant secure trusted dedicated microprocessor, wherein:
the service processor operates to manage a host computing system;
the secure boot firmware performs a secure boot operation to boot the operating system kernel of the service processor;
the secure boot firmware records first measurements of code executed by the secure boot firmware when performing the boot operation, in one or more registers of the tamper-resistant secure trusted dedicated microprocessor;
the operating system kernel enables the integrity management subsystem;
the integrity management subsystem records second measurements of software executed by the operating system kernel, in the one or more registers of the tamper-resistant secure trusted dedicated microprocessor;
the integrity management subsystem records third measurements of boot software executed in the host computing system, in the one or more registers;
the operating system kernel records one or more entries, in the event log storage, identifying one or more events causing at least one of the recording of the first measurements, the recording of the second measurements, or the recording of the third measurements, wherein at least one entry in the one or more entries identifies an event causing the recording of a third measurement associated with boot software executed in the host computing system; and
each entry of the one or more entries comprises an identifier of a corresponding register within the one or more registers where corresponding measurement information is stored for that entry, wherein the entries in the event log storage comprise a register identifier identifying a register where a corresponding measurement is stored, a file hash of an executable file that caused the corresponding measurement to be recorded, and a hint of the full path and filename of the executable file that caused the corresponding measurement to be recorded.

US Pat. No. 10,397,229

CONTROLLING USER CREATION OF DATA RESOURCES ON A DATA PROCESSING PLATFORM

Palantir Technologies, In...

1. A computer system comprising:one or more processors;
one or more non-transitory computer-readable storage media coupled to the one or more processors and storing one or more sequences of instructions which when executed cause performing:
receiving a user request to create a data resource on the software platform, the user request comprising, or identifying, a specification indicative of the data resource, a user identifier associated with said user, and an indication that the data resource is required to be accessible to one or more other users, external to the software platform, via a network link;
performing verification using the user identifier to determine if said user is permitted to create or modify the data resource indicated in the specification in accordance with a predetermined set of permissions;
responsive to verifying said user, creating a version of the data resource indicated in accordance with the specification for deployment on the software platform for subsequent access or execution by said user;
verifying that said user is permitted to allow access to the data resource by external users;
responsive to verifying that said user is so permitted, creating one or more replicas of the data resource, and subsequently routing access requests from one or more external users to the one or more replicas.

US Pat. No. 10,397,228

SELECTIVELY RESTRICTING COMMUNICATIONS FROM THIRD PARTY APPLICATIONS/DEVICES TO ELECTRONIC DEVICES

Google LLC, Mountain Vie...

1. A method of message rate limiting by a smart-home device, the method comprising:determining, by the smart-home device, one or more device operation status parameters of the smart home device comprising:
a battery level of the smart-home device;
a battery charging rate of the smart-home device;
an age of the smart-home device;
a planned lifespan of the smart-home device;
a recent wireless usage of the smart-home device;
an internal temperature of the smart-home; or
any of the above in relation to an intervening device over which communication to the smart-home device travels; or
any combination thereof;
receiving, by the smart-home device while the smart-home device is in a low-power mode, an incoming communication directed to the smart-home device from a server;
based at least in part on the one or more device operation status parameters, determining, by the smart-home device while the smart-home device is in the low-power mode, to:
transition to a high-power mode; and
consume the received communication;
or:
remain in the low-power mode; and
ignore the communication.

US Pat. No. 10,397,226

METHODS AND SYSTEMS USING TRUST-BUT-VERIFY DYNAMIC QUALITY-OF-SERVICE (QOS)

Cisco Technology, Inc., ...

8. A method to provide QoS operations, the method comprising:in response to receipt, at a network port of a first computing device, one or more first inbound traffic associated with a first flow from a second computing device, the one or more first inbound traffic being determined to have a voice or a video component, i) classifying each of the one or more first inbound traffic with an initial high QoS (Quality of Service) PHB (Per-Hop Behavior) marking and ii) transmitting to a third computing device in the network the one or more first inbound traffic with the initial high QoS PHB markings; and
initiating authentication of the first flow as being a preferential flow,
wherein, in response to receiving, during the authentication process, one or more subsequent inbound traffic associated with the first flow from the second computing device, i) classifying the one or more subsequent inbound traffic with the initial high QoS PHB markings and ii) transmitting to the third network device the one or more subsequent inbound traffic with the initial high QoS PHB markings.

US Pat. No. 10,397,225

SYSTEM AND METHOD FOR NETWORK ACCESS CONTROL

Worcester Polytechnic Ins...

1. In an access controller, a method for providing access to a network resource on a computer network, comprising:receiving, by the access controller, a network access request and user interaction information associated with the network access request from a client device, the user access information received with the network access request from the client device over the computer network, the client device being distinct from the access controller on the computer network;
wherein receiving user interaction information associated with the network access request from the client device over the computer network comprises receiving, by the access controller, macroevent information associated with the network access request from the client device, the macroevent information identifying user intent associated with the network access request;
wherein receiving macroevent information associated with the network access request from the client device further comprises receiving, by the access controller, microevent information associated with the network access request from the client device, the microevent information related to the macroevent information via the user interaction information and identifying at least one user-generated event associated with the macroevent information and the microevent information comprising input and output (I/O) control flow commands identifying user-initiated interaction, including at least one of I/O patterns and I/O statistics, between the client device and at least one of a hardware device associated with the client device and a graphical user interface associated with the client device;
identifying, by the access controller, a policy corresponding to the macroevent information and the microevent information; and
based upon the identified policy corresponding to the macroevent information and the microevent information, one of providing communication, by the access controller, between the client device and the network resource associated with the network access request, providing, by the access controller, the network access request to a network router, and diverting, by the access controller, traffic associated with the client device through a security monitor.

US Pat. No. 10,397,224

NETWORK PERSONAL DIGITAL VIDEO RECORDER SYSTEM (NPDVR)

Oath Inc., Dulles, VA (U...

1. A computer-implemented method comprising the following operations performed by at least one processor:receiving, from a client system, a request to transfer a first file stored on a host server to a database system, wherein the transfer request is transmitted to a proxy server for isolating the transfer request via a proxy server process, wherein the transfer request is further transmitted to a load balancer for transmitting the transfer request to a least-loaded host server, wherein the transfer request includes an identifier that identifies the first file and an identifier of a user of the client system, and wherein the database system being located remotely from the host server and the client system;
transferring, using a communications network, the first file from the host server to the database system, the database system being adapted to store the first file in a storage area allocated to the identified user of the client system;
receiving, from the client system, a request to access the first file stored on the database system, the request to access the first file including authentication data associated with the user;
verifying the authenticating data associated with the user; and
permitting, in response to verifying the user, the client system to access the first file stored on the database system.

US Pat. No. 10,397,223

METHOD FOR ESTABLISHING AN AUTHORIZED COMMUNICATION BETWEEN A PHYSICAL OBJECT AND A COMMUNICATION DEVICE ENABLING A WRITE ACCESS

Alcatel Lucent, Nozay (F...

1. A method for establishing an authorized communication between a physical object and a communication device, wherein the physical object and the communication device both comprise a data processing unit, a contact communication interface and a wide area network interface, the method comprising:establishing a physical connection between the physical object and the communication device through the contact communication interface of the physical object and the contact interface of the communication device,
transmitting authorization data between the physical object and the communication device through the physical connection to grant access rights over the physical object to the communication device using the authorization data,
wherein the access rights enable the communication device to make a write access to protected data of the physical object through the wide area network interface of the physical object and the wide area network interface of the communication device, wherein the protected data comprise an extension module, and wherein the access rights enable the communication device to install a software module in the extension module of the physical object through the wide area network interface, the software module being adapted to provide to the physical object a function associated with hardware capabilities of the physical object,
wherein the method further comprises transmitting the software module from the communication device to the physical object to be installed in the extension module, wherein, in order to install the software module, the communication device identifies a matching software module in a software database.

US Pat. No. 10,397,222

AUTHENTICATING A LIMITED INPUT DEVICE VIA AN AUTHENTICATED APPLICATION

GoPro, Inc., San Mateo, ...

1. A system, comprising:an authenticated application executing on a first device;
a camera paired with the authenticated application using a first device identifier, the authenticated application configured to enable a user to control one or more camera functions of the camera by interacting with the authenticated application; and
a computer program product comprising a non-transitory computer-readable storage medium having instructions encoded thereon that, when executed by a processor, causes the processor to:
in response to receiving a request including the first device identifier from the authenticated application for a one-time authorization code, transmit the one-time authorization code to the authenticated application,
receive a request for an access token from the camera, the request including the one-time authorization code and a second device identifier,
in response to verifying the one-time authorization code by determining that the second device identifier matches the first device identifier, authenticate the camera by providing the camera with the access token,
associate the access token with a user account,
receive one or more images associated with the user account from the camera, and
in response to determining that the access token has expired, receive a refresh token from the camera and provide a new access token to the camera.

US Pat. No. 10,397,221

NETWORK CONTROLLER PROVISIONED MACSEC KEYS

Hewlett Packard Enterpris...

1. A method comprising:establishing, by a network controller, a first media access control security (MACsec) flow as a secure channel for communication between a first network device and a second network device through a first set of intermediate switches, wherein the first network device and the second network device are two endpoints of the MACsec flow;
establishing, by the network controller, a second MACsec flow as a secure channel for communication between the first network device and a third network device through a second set of intermediate switches, wherein the first network device and the third network device are two endpoints of the second MACsec flow;
provisioning, by the network controller, a first switch with a first MACsec key for encrypting data of the first MACsec flow;
provisioning, by the network controller, the first switch with a second MACsec key for encrypting data of the second MACsec flow;
provisioning, by the network controller, a second switch with the first MACsec key for decrypting the encrypted data of the first MACsec flow;
provisioning, by the network controller, a third switch with the second MACsec key for decrypting the encrypted data of the second MACsec flow; and
setting, by the network controller, forwarding rules for the MACsec flow on the first set of intermediate switches located between the first and second network devices of the first MACsec flow without provisioning the first set of intermediate switches with any MACsec keys for the first MACsec flow such that the intermediate switches forward the data of the first MACsec flow without decrypting or encrypting the data,
wherein the first set of intermediate switches forwarding data of the first MACsec flow without decrypting or encrypting the data comprises the first switch and the second switch, and the second set of intermediate switches comprises the first switch and the third switch, such that the first switch is common to the first set and the second set of intermediate switches, and
wherein the first network device and the second network device use a different MACsec key from a set of MACsec keys based on at least one criteria, the criteria comprising: using a different MACsec key after a period of time, using a different MACsec key after a number of packets have been encrypted or decrypted, and using a different MACsec key according to a bandwidth of a link between the first network device and the second network device.

US Pat. No. 10,397,220

FACIAL PROFILE PASSWORD TO MODIFY USER ACCOUNT DATA FOR HANDS-FREE TRANSACTIONS

GOOGLE LLC, Mountain Vie...

1. A computer-implemented method to enable updates to user account information in response to facial image verification of users located at service system locations, comprising, by one or more computing devices operated by an account management system:receiving, from a user computing device, an account identifier corresponding to a user account associated with a user associated with the user computing device and a beacon device identifier, the user computing device retransmitting the beacon device identifier received via a network from a beacon device at a location associated with the beacon device identifier;
retrieving, an existing facial template associated with the user account based on the account identifier corresponding to the user account;
adding, the retrieved existing facial template to a current customer log of one or more existing facial templates corresponding to user computing devices that retransmitted the beacon device identifier to the one or more computing devices;
receiving, from a service computing device, a request for the current customer log;
transmitting, to the service computing device, the current customer log, the current customer log comprising the retrieved existing facial template associated with the user account, the service computing device identifying the user account based on determining that a degree of similarity between a facial template generated based on a capture of a facial image of the user and the retrieved existing facial template is greater than or equal to a predetermined threshold amount;
receiving, from the service computing device at the location, the account identifier corresponding to the user account, updated account data, and a request to update existing account data in the user account;
and replacing one or more items of the existing account data in the user account with the updated account data.

US Pat. No. 10,397,219

SYSTEMS AND METHODS FOR CONTROLLING A LOCAL APPLICATION THROUGH A WEB PAGE

Spotify AB, Stockholm (S...

1. A computer-implemented method for controlling a local utility comprising:at a client computer having a processor and memory storing instructions for execution by the processor:
at a web browser displaying a control for a local utility executed on the client computer, wherein the control includes a link that includes a domain that resolves to a loopback network address, wherein the loopback network address is a self-referencing address for a local web server at the client computer, and the local utility is distinct from the web browser:
receiving a user input selecting the control;
scanning a plurality of ports associated with a network address of a local web server to identify an open port;
in accordance with a determination that there is no open port associated with the network address of the local web server, executing a uniform resource indicator (URI) recognizable by the client computer, wherein execution of the URI causes initiation of the local utility and the local web server associated with the local utility; and
after initiating the local utility and the local web server associated with the local utility, issuing a request through the link of the selected control to the local web server at the client computer, the local web server coupled with the local utility;
at the local web server:
receiving, from the web browser, the request; and
providing the local utility with a command portion of the request; and
at the local utility coupled with the local web server:
in response to receiving the command portion of the request from the local web server, taking one or more actions based on the command portion of the request, wherein the one or more actions are selected from the group consisting of:
playing a media file;
stopping a media file;
pausing a media file;
fast forwarding a media file;
rewinding a media file;
skipping a media file;
changing a playback order of a playlist;
adding a media file to a playlist; and
removing a media file from a playlist.

US Pat. No. 10,397,218

HIGHLY AVAILABLE WEB-BASED DATABASE INTERFACE SYSTEM

XACTLY CORPORATION, San ...

1. A computer-implemented method comprising:receiving, from a client computer system at a first web server of a plurality of web servers, a client web-based request comprising one or more database instructions of a database request, the plurality of web servers coupled to a database management system comprising of one or more database servers executing database instructions on one or more databases;
a second web server, of the plurality of web servers, querying a request coordinator store, coupled to the plurality of web servers, to determine a state of the database request;
wherein the state of the database request comprises an execution state of at least one database instruction of the database request of the client computer system;
the second web server, based at least in part on the state of the database request, requesting the database management system to execute the one or more database instructions.

US Pat. No. 10,397,217

AUTHENTICATION METHODS AND AUTHENTICATION APPARATUSES

BEIJING ZHIGU RUI TUO TEC...

1. A method, applied to a user terminal, comprising:acquiring first server authentication information of a user from a server, wherein the first server authentication information is encrypted by the server using at least one first key obtained from a first number of characters in a user password of the user;
acquiring the first number of characters input by the user in a password input area;
decrypting the first server authentication information by using at least one second key obtained from the first number of characters input to the password input area resulting in decrypted first server authentication information;
feeding back at least one first authentication response to the user at least according to the decrypted first server authentication information; and
sending an authentication request to the server based on a server authentication pass instruction of the user, wherein the authentication request is used to request the server to authenticate the user.

US Pat. No. 10,397,216

SYSTEMS AND METHODS FOR PERFORMING SECURE BACKUP OPERATIONS

Veritas Technologies LLC,...

1. A computer-implemented method for performing secure backup operations, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:determining a trust level of a backup client by identifying at least one security characteristic of the backup client;
deploying a signed certificate on the backup client that enables the backup client to facilitate backup operations with a security level that corresponds to the trust level of the backup client;
identifying a backup server that has been designated to perform a backup task for the backup client;
prior to facilitating the backup task on the backup client:
identifying a type of signed certificate deployed on the designated backup server;
determining, based on a security level with which the type of signed certificate enables the designated backup server to perform backup operations, a trust level of the designated backup server;
identifying a sensitivity level of the backup task based at least in part on a type of data involved in the backup task; and
determining whether the trust level of the designated backup server is appropriate for the sensitivity level of the backup task; and
facilitating the backup task on the backup client based on at least one of:
the determination of whether the trust level of the designated backup server is appropriate for the sensitivity level of the backup task; and
a determination of whether the security level of the signed certificate deployed on the backup client is appropriate for the sensitivity level of the backup task.

US Pat. No. 10,397,215

SECURE ELEMENT INSTALLATION AND PROVISIONING

VISA INTERNATIONAL SERVIC...

1. A method of binding a device to an authority, the method comprising:providing an unalterable memory in the device that permanently stores information written to the unalterable memory;
reading pre-determined data corresponding to characteristics of the device;
obtaining a pseudo-random number and combining the pseudo-random number with the pre-determined data to give a base number;
downloading an application including executable code that performs at least, a cryptographic function on the base number that generates a secure identifier of the device;
storing the secure identifier in the unalterable memory of the device; and
providing, by the device, the secure identifier of the device to the authority to bind the device to the authority.

US Pat. No. 10,397,214

COLLABORATIVE SIGN-ON

INTERNATIONAL BUSINESS MA...

1. A method, comprising:responsive to a user providing at least one authentication credential to a second system during an attempt to log into a first online account hosted by the second system, receiving, by a first system comprising at least one processor, an authentication approval request from the second system;
responsive to receiving the authentication approval request from the second system, determining, by the first system, whether the user is required to be logged into at least a second online account hosted by at least a third system unrelated to the second system in order to approve the authentication approval request;
responsive to determining that the user is required to be logged into at least the second online account hosted by at least the third system in order to approve the authentication approval request, determining, by the first system, whether the user presently is logged into at least the second online account hosted by at least the third system in at least one presently active user session;
responsive to determining that the user presently is logged into at least the second online account hosted by at least the third system in at least one presently active user session, communicating to the second system a response to the authentication approval request indicating that the user is approved for authentication with the second system to log into the first online account hosted by the second system;
responsive to the user providing at least one authentication credential to a fourth system during an attempt to log into a third online account hosted by the fourth system, receiving, by the first system, a second authentication approval request from the fourth system;
responsive to receiving the second authentication approval request from the fourth system, determining, by the first system, whether the user is required to be logged into at least a fourth online account hosted by at least a fifth system unrelated to the fourth system in order to approve the second authentication approval request;
responsive to determining that the user is required to be logged into at least the fourth online account hosted by at least the fifth system in order to approve the authentication approval request, determining, by the first system, whether the user presently is logged into at least the fourth online account hosted by at least the fifth system in at least one presently active user session; and
responsive to determining that the user presently is not logged into at least the fourth online account hosted by the at least the fifth system in at least one presently active user session, communicating to the fourth system a response to the authentication approval request indicating that the user is not approved for authentication with the fourth system to log into the third online account hosted by the fourth system.

US Pat. No. 10,397,213

SYSTEMS, METHODS, AND SOFTWARE TO PROVIDE ACCESS CONTROL IN CLOUD COMPUTING ENVIRONMENTS

CONJUR, INC., Weston, MA...

1. A method of providing accommodated, compliant-based access control across multiple cloud computing environments, the method comprising:identifying a first request generated by a requester for interacting with a first resource hosted in a first cloud computing environment, where the identified first request comprises requester identifying information and a requested interaction between the requester and the first resource hosted in the first cloud computing environment;
determining, based on the requester identifying information and the requested interaction between the requester and the first resource hosted in the first cloud computing environment, and further according to identifying information associated with the first resource hosted in the first cloud computing environment, whether the requested interaction is authorized for the requester with respect to the first resource hosted in the first cloud computing environment;
providing a first control response governing requester access rights to the first resource hosted in the first cloud computing environment, wherein providing the first control response comprises granting or denying requester access for the requested interaction based on the determination;
identifying a second request generated by the requester for interacting with a second resource hosted in a second cloud computing environment;
assessing, based on characteristics of the second cloud computing environment and using the requester identifying information, whether the second request for interacting with the second resource adheres with a particular authorization requirement of the second cloud computing environment;
wherein the characteristics of the second cloud computing environment include at least one of a type of cloud provisioning service for the second cloud computing environment and a particular application running in the second cloud computing environment; and
according to the determining and further based on the assessing, providing a second control response governing the requester access rights for the requested interaction with the second resource hosted in the second cloud computing environment without the need to reconfigure the requester access rights to the second resource hosted in the second cloud computing environment.

US Pat. No. 10,397,212

INFORMATION DEVICE, DATA PROCESSING SYSTEM, DATA PROCESSING METHOD, AND NON-TRANSITORY STORAGE MEDIUM FOR EXECUTING CONTENT UPON AUTHENTICATION

PANASONIC INTELLECTUAL PR...

1. An information device comprising:a reader that reads, from a removable medium, ticket data provided from a server, the ticket data being provided from the server upon successful authentication, and the ticket data including information representing an executable content that is to be executable upon the successful authentication; and
a data processor that
executes the executable content represented in the ticket data, and
stores, in the removable medium, first identification information of the information device and additional data having a value that differs depending on a timing, wherein the ticket data further includes
information representing a number of times that the executable content is permitted to be executed or a period during which the executable content is permitted to be executed,
the additional data and second identification information set by the server based on the first identification information, and
first ticket data and second ticket data that differs from the first ticket data,
wherein the additional data includes first additional data and second additional data that differs from the first additional data, and
wherein the data processor
executes the executable content within the number of times that the executable content is permitted to be executed or within the period during which the executable content is permitted to be executed, when the second identification information included in the ticket data matches the first identification information,
links, when the executable content is executed based on the first ticket data, first information regarding a number of times the executable content is executed to the first additional data included in the first ticket data, and records the first information, and
links, when the executable content is executed based on the second ticket data, second information regarding a number of times the executable content is executed to the second additional data included in the second ticket data, and records the second information.

US Pat. No. 10,397,210

METHOD, DEVICE, CLIENT AND SERVER FOR INTERACTION

TENCENT TECHNOLOGY (SHENZ...

1. An interaction method, comprising:scanning, by a client, a target two-dimensional code to acquire a uniform resource locator(URL) in the target two-dimensional code;
sending, by the client, the URL to a third-party server;
receiving, by the client, multifunction interaction information that is returned from the third-party server according to the URL, wherein each piece of the multifunction interaction information comprises interaction type information; and
interacting, by the client, with the third-party server based on the multifunction interaction information,
wherein the interaction type information comprises information indicating at least one of an interaction application and a webpage application developed by a third party, the method further comprising:
sending, by the client, to an interconnection server at least one of an interaction application identifier and a signature file of the third party included in the multifunction interaction information;
based on a result of authentication of the third party by the interconnection server according to the at least one of the interaction application identifier and the signature file of the third party, sending, by the client, to the third-party server a request for opening a jump URL corresponding to an application indicated by the interaction type information and an authorization token; and
receiving and displaying, by the client, a jump webpage, which contains a login state of a user of the client, returned from the third-party server, the login state of the user of the client being obtained from the interconnection server according to the request and the authorization token.

US Pat. No. 10,397,209

RISK-AWARE MULTIPLE FACTOR AUTHENTICATION BASED ON PATTERN RECOGNITION AND CALENDAR

International Business Ma...

1. A method comprising:storing in a database security questions and corresponding user response data;
determining an accuracy score for each of a plurality of security questions previously answered by the user, the accuracy score being based in part on at least one of an amount of queries for a particular security question and a number of correct responses by the user;
ranking the security questions based on the accuracy scores;
receiving by an interface a login name from a user;
determining whether a state of the user is impaired;
selecting by a processor at least one security question regarding recent activity performed by the user, said selecting of the at least one security question includes selecting at least one impaired security question when a cognitive state of the user is impaired, the impaired security question having an accuracy score below a predetermined threshold;
receiving by the interface an answer to the at least one security question from the user;
determining by the processor whether the answer matches data stored in a user transaction database that is associated with the login name of the user.

US Pat. No. 10,397,208

AUTHENTICATION VIA ITEM RECOGNITION

PayPal, Inc., San Jose, ...

1. A system for authenticating a user, comprising:a non-transitory memory; and
one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising:
receiving, from a mobile device of a user, a request for accessing a user account;
in response to receiving the request, obtaining an image captured by a camera of the mobile device;
applying one or more image recognition algorithms to the captured image to extract a first set of features related to a first item in the captured image;
comparing the first set of features to stored features associated with a plurality of reference items designated for authenticating the user of the user account to determine that the first item in the captured image matches a first reference item in the plurality of reference items;
applying the one or more image recognition algorithms to the captured image to extract a second set of features related to a second item in the captured image;
comparing the second set of features to the stored features associated with the plurality of reference items designated for authenticating the user of the user account to determine that the second item in the captured image matches a second reference item in the plurality of reference items, wherein the first and second reference items are associated with a reference location;
determining a color of a third item in the captured image;
determining that a location of the mobile device corresponds to the reference location associated with the first and second reference items based at least in part on the color of the third item in the captured image;
determining, based on analyzing the captured image, that the first item and the second item are within a geographical boundary associated with the location of the mobile device;
in response to determining that the location of the mobile device corresponds to the reference location and that the first item and the second item are within the geographical boundary, granting the mobile device access to the user account according to a first access level;
retrieving additional descriptions of the first reference item, wherein the additional descriptions represent one or more characters or symbols appearing on the first reference item;
applying at least one of an optical character recognition algorithm or a pattern recognition algorithm to a portion of the captured image representing the first item to extract a third set of features related specifically to the first item, wherein the third set of features comprises at least one of a character or a symbol that appears on the first item;
comparing the third set of features against the additional descriptions associated with the first reference item to determine that the third set of features matches the additional descriptions; and
in response to determining that the third set of features matches the additional descriptions, granting the mobile device access to the user account according to a second access level that is less restrictive than the first access level.

US Pat. No. 10,397,207

AUTOMATIC CREDENTIAL ROTATION

AMAZON TECHNOLOGIES, INC....

1. A computer-implemented method, comprising:receiving, from a client device associated with a user, a first request for access to one or more resources in a resource provider environment, the first request including a first credential string and a first iteration number, the first iteration number corresponding to a first random number, the first credential string corresponding to the output of a key stretching algorithm operated on a user access credential for a number of iterations corresponding to the first iteration number;
storing the first credential string and the first iteration number;
receiving, from the client device, a second credential string and a second random number, a second iteration number corresponding to a sum of the first iteration number and the second random number, the second credential string corresponding to the output of the key stretching algorithm operated on the user access credential for a number of iterations corresponding to the second iteration number;
generating a local copy of the second credential string using the first credential string processed a further number of iterations of the key stretching algorithm corresponding to the second random number, wherein the local copy has undergone a total of the second iteration number of the key stretching algorithm with respect to the user access credential;
determining that the second credential string, received from the client device, is the same as the local copy of the second credential string;
granting, in response to the second request, access to the one or more resources.

US Pat. No. 10,397,206

SYMMETRIC ENCRYPTION KEY GENERATION/DISTRIBUTION

Red Hat, Inc., Raleigh, ...

1. A method for exchanging encrypted information between a first computing device and a second computing device comprising:both computing devices having input parameters including: a shared secret, a prime bounding integer, a generator, a first group constant, and a second group constant, wherein the input parameters are respectively used to generate a first private key, a second private key, a first public key, and a second public key;
the second computing device receiving an encrypted message from the first computing device;
the second computing device generating the second private key;
the second computing device generating the second public key, using the generator, the shared secret, the first group constant, and the second private key;
the second computing device sending the second public key to the first computing device;
the first computing device using the second public key from the second computing device, the first group constant, the shared secret, the first private key, and the second constant to generate the first public key;
the second computing device receiving the first public key from the first computing device;
the second computing device using the first public key, the shared secret, the second group constant, and the second private key to calculate a session key; and
the second computing device decrypting the encrypted message with the session key.

US Pat. No. 10,397,205

RECORDING DATA AND USING THE RECORDED DATA

International Business Ma...

1. An apparatus that uses data including content recorded in a recording medium, wherein the data includes a medium-bound package key, a medium-bound encrypted medium key, and a medium-bound encrypted package, the apparatus comprising:a key deriving section that derives a medium-binding key from medium-attribute information on the recording medium using medium-attribute information on the recording medium as input to a medium-binding key deriving function, wherein the medium-attribute information uniquely identifies the recording medium;
an encrypted medium key acquisition section that obtains an encrypted medium key by using the medium-binding key to decrypt the medium-bound encrypted medium key from the recording medium;
a medium-key acquisition section that obtains a medium key by decrypting the encrypted medium key using a private key corresponding to the public key, wherein the private key is transferred to the apparatus separately from the recording medium;
a first data acquisition section that obtains a protected area key by using an exclusive-OR operation with the medium-binding key and the medium key;
a second data acquisition section that obtains a common key and encrypted content information from the recording medium by decrypting, respectively, the medium-bound package key and the medium-bound encrypted package using the protected area key; and
an information acquisition section that obtains the information on the content by decrypting the encrypted-content information using the common key.

US Pat. No. 10,397,204

RECORDING DATA AND USING THE RECORDED DATA

International Business Ma...

1. A method for using data including content recorded in a recording medium on a computer apparatus, wherein the data includes a medium-bound package key, a medium-bound encrypted medium key, and a medium-bound encrypted package, the method comprising:deriving, using a key deriving section in the computer apparatus, a medium-binding key using medium-attribute information on the recording medium as input to a medium-binding key deriving function, wherein the medium-attribute information uniquely identifies the recording medium;
obtaining, using an encrypted medium key acquisition section, an encrypted medium key by using the medium-binding key to decrypt the medium-bound encrypted medium key from the recording medium;
obtaining, using a medium-key acquisition section in the computer apparatus, a medium key by decrypting the encrypted medium key using a private key corresponding to a public key, wherein the private key is transferred to the computer apparatus separately from the recording medium;
obtaining, using a first data acquisition section in the computer apparatus, a protected area key by using an exclusive-OR operation with the medium-binding key and the medium key;
obtaining, using a second data acquisition section in the computer apparatus, a common key by decrypting the medium-bound package key from the recording medium using the protected area key;
obtaining, using the second data acquisition section in the computer apparatus, encrypted content information by decrypting the medium-bound encrypted package from the recording medium using the protected area key; and
obtaining, using an information acquisition section in the computer apparatus, the information on the content by decrypting the encrypted-content information using the common key.

US Pat. No. 10,397,203

RECEPTION DEVICE AND RECEPTION METHOD

FUJITSU LIMITED, Kawasak...

1. A reception device comprising:a memory which stores, for each of at least one function handling confidential information, a stored program module implementing a corresponding function, and first and second stored version numbers of the stored program module;
a receiver configured to receive a conditional access system program being encrypted and used to execute a process related to the confidential information, and a notification signal notifying of delivery of the conditional access system program and including delivery destination information identifying a delivery destination of the conditional access system program which includes, for each received program module in the conditional access system program, first and second received version numbers of the received program module;
a processor configured to
determine whether the reception device is a delivery target of the conditional access system program on the basis of the delivery destination information included in the notification signal, and
prepare for receiving the conditional access system program when the reception device is the delivery target of the conditional access system program; and
an information protection circuit configured to
determine whether the reception device is a use target of the conditional access system program with reference to the identification information included in the conditional access system program, and
decrypt the conditional access system program when the reception device is the use target of the conditional access system program, including when either of the first and second received version numbers of the received program module in the conditional access system program is larger than the first and second stored version numbers, respectively, of the stored program module corresponding thereto, decrypt the received program module to obtain a decrypted program module,
delete the stored program module in the memory corresponding to the received program module in the conditional access system program only when the second received version number of the received program module is larger than the second stored version number of the stored program module in the memory corresponding thereto; and
store the decrypted program module in the memory.

US Pat. No. 10,397,202

SECURE COMMUNICATION CHANNELS

BlackBerry Limited, Wate...

1. A method of negotiating a secure device-to-device communications channel between a first computing device and a second computing device, the first computing device being associated with a first user and the second computing device being associated with a second user, the method comprising:receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel;
receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; and
determining, on the basis of an identity of the first user and an identity of the second user, that the secure device-to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted:
sending, from the server, first connection data to the first computing device over the first secure communications channel; and
sending, from the server, second connection data to the second computing device over the second secure communications channel; and
wherein the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key, the first and second connection data being for use in enabling establishment of a secure device-to-device communications channel between the first computing device and the second computing device.

US Pat. No. 10,397,201

SENDING ENCRYPTED DATA TO A SERVICE PROVIDER

ENTIT SOFTWARE LLC, Sunn...

1. A computer program product for sending encrypted data to a service provider, comprising:a non-transitory computer readable storage medium, said non-transitory computer readable storage medium comprising computer readable program code embodied therewith, said computer readable program code comprising program instructions that, when executed, causes a processor to:
exchange an encryption key between an entity and a service provider without retaining said encryption key and while hiding an identity of said entity from said service provider; and
forward encrypted data based on said encryption key to said service provider from said entity while hiding said identity of said entity from said service provider.

US Pat. No. 10,397,200

CARD-BASED DYNAMIC PASSWORD GENERATION METHOD AND DEVICE

Feitan Technologies Co., ...

1. A card-based method for generating a dynamic password, in which the card is inserted into a device, wherein the method comprises:Step S1, powering on the device, and initializing a current running state as a first state;
Step S2, determining, by the device, an operation which is to be executed, executing Step S3 in the case that the operation is on number keys; executing Step S4 in the case that the operation is on state keys; otherwise, executing Step S5;
Step S3, determining, by the device, whether it needs to input numbers, if yes, obtaining input data according to the operation on number keys pressed by a user, and then returning to execute Step S2; otherwise, returning to Step S2 directly;
Step S4, determining, by the device, whether it needs to input a confirm state, if yes, obtaining the confirm state according to the operation on state keys pressed down by the user, and then returning to execute Step S2; otherwise, returning to Step S2 directly; and
Step S5, determining, by the device, the current running state;
powering on the card in the case that the current running state is the first state, sending a preset instruction to the card after the card is powered on successfully, and obtaining a first data and a second data from a first returned data returned from the card and saving the first data and the second data, updating the current running state as a sixth state, and then returning to execute Step S2;
prompting the user to input a PIN code in the case that the current running state is the sixth state, storing the input data as the PIN code when the confirm state is OK, updating the current running state as a seventh state, and returning to Step S2;
obtaining the stored PIN code in the case that the current running state is the seventh state, generating a verifying-PIN-code instruction and sending the instruction to the card, updating the current state as an eighth state after the card verifies the PIN code successfully, and then returning to Step S2;
generating a password-generating instruction and sending the instruction to the card according to the saved first data and data stored in a preset cache in the case that the current running state is the eighth state, obtaining password data from a second returned data returned from the card and verifying the password data, updating the current running state as a ninth state after the obtained password data is verified successfully, and then returning to Step S2; and
compressing the password data according to the saved second data in the case that the current running state is the ninth state, formatting the compressed data so as to obtain a dynamic password, displaying the dynamic password, powering off the card, initializing the current running state as the first state, and returning to Step S2,
said method further comprises a key interrupt flow and an interrupt processing flow, and the key interrupt flow specifically comprises: entering a key interrupt in the case that a key is pressed down, setting a key-IO-interrupt flag, and exiting from the key interrupt; the interrupt processing flow specifically comprises: entering an interrupt processing in the case that the key-IO-interrupt flag is set, setting a value of a key flag according to key input by the user, and writing a value into a number inputting cache according to the value of the key flag, clearing the key-IO-interrupt flag, and then exiting from the interrupt processing.

US Pat. No. 10,397,199

INTEGRATED CONSENT SYSTEM

MICROSOFT TECHNOLOGY LICE...

1. A method performed by a computing system for creating an account for a user with an identity provider, the method comprising:receiving a request to create an identity provider account with the identity provider for use in logging onto a third-party system;
generating one or more display pages for providing an integrated-consent user experience that includes at least one of the one or more display pages for collecting both new-account information and scope-of-consent information for consenting to share account information with the third-party system;
receiving, from the user and through the one or more display pages, the new-account information that includes user credentials for the identity provider account and a scope of consent to share account information of the identity provider account with the third-party system;
based on receipt of the new-account information and a consent by the user to share account information as noted by the scope of consent, creating for the user, the identity provider account; and
recording an indication of the scope of consent, wherein when the user subsequently signs in to the third-party system using the user credentials for the identity provider account, the third-party system accesses account information of the identity provider account based on the user having provided the scope of consent.

US Pat. No. 10,397,198

INFORMATION COMMUNICATION SYSTEM, INFORMATION COMMUNICATION PROGRAM, AND INFORMATION COMMUNICATION METHOD

PRIME BRAINS, INC., Toky...

1. An information communication system, comprising:a first program stored in a first terminal and configured to carry out instructions; and
a second program stored in a second terminal and configured to carry out instructions,
wherein the first terminal is configured to transmit transmission information,
the second terminal is configured to communicate with the first terminal through the Internet in a confidential state and to communicate with a third terminal configured to receive the transmission information through the Internet in a confidential state,
the transmission information is an information transmitted from a transmission source to a transmission destination, and includes a message body information including text data and an attachment file attached to the message body information,
the first program having:
encryption password generation instructions generating an encryption password for encryption processing of the attachment file;
encryption instructions performing encryption processing to the attachment file using the encryption password;
encryption password transmission instructions transmitting information of the encryption password to the second terminal in a confidential state; and
destination transmission instructions transmitting information of the transmission destination to the second terminal in a confidential state,
the second program having:
first determination instructions determining whether or not the information of the transmission destination is registered in the second terminal; and
Uniform Resource Locator (URL) information processing instructions generating a first URL information associated with the information of the encryption password and transmitting the first URL information to the first terminal,
the first program further having transmission preparation instructions generating a first transmission information which is a transmission information including the first URL information in the message body information and to which an attachment file obtained by performing the encryption processing is attached to the main body information,
the second program further having:
authentication processing instructions performing authentication processing for determining whether or not to permit access to a first URL corresponding to the first URL information included in the first transmission information from the third terminal; and
encryption password returning instructions returning the information of the encryption password to the third terminal in a confidential state in a case where the access is permitted in the authentication processing, and
in a case where the first determination instructions determine that at least a part of the information of the transmission destination is not registered, the URL information processing instructions generate a second URL information related to an information of an unregistered transmission destination and transmit the second URL information to the first terminal, and the transmission preparation instructions generate a second transmission information including the second URL information in the message body information and directed to the unregistered transmission destination.

US Pat. No. 10,397,197

COEXISTENCE INTERFERENCE MITIGATION DURING WIRELESS LOCAL AREA NETWORK AUTHENTICATION

Apple Inc., Cupertino, C...

1. A method for enabling a wireless device to mitigate coexistence interference during an authentication process while establishing a wireless local area network (WLAN) connection with a WLAN access point (AP), the method comprising:by the wireless device:
transmitting a WLAN association request to a WLAN AP; and
in response to receipt of a WLAN association response from the WLAN AP and while performing the authentication process with the WLAN AP, alternating between WLAN time periods, during which WLAN transmissions are enabled and wireless personal area network (WPAN) transmissions are disabled, and WPAN time periods, during which WPAN transmissions are enabled and WLAN transmissions are disabled,wherein:durations of the WPAN time periods are based at least in part on an active WPAN profile in use for a WPAN connection between the wireless device and (a) an accessory system that includes the WLAN AP or (b) a separate accessory device,
durations of the WLAN time periods are based at least in part on receipt of WLAN authentication messages from the WLAN AP and on expiration of WLAN authentication process timers maintained at the wireless device, when one or more expected WLAN authentication messages are not received from the WLAN AP; and
when the active WPAN profile in use comprises a Bluetooth Asynchronous Connectionless Link (ACL) profile, the durations of the WPAN time periods are based at least in part on whether a Bluetooth connection using the ACL profile is active.

US Pat. No. 10,397,196

PORT-SCRAMBLING-BASED NETWORKS

CYBER 2.0 (2015) LTD., Y...

1. A device having a processor and a memory, wherein said device operating within a computer network comprising a plurality of devices, wherein said memory retaining a certificate, wherein the certificate is shared among a portion of the plurality of devices, wherein said device comprising:a communication module for sending and receiving transmissions to and from devices in the computer network;
a scrambling module configured to apply a transformation function on an identifier of a first port to obtain an identifier of a second port, wherein the transformation function depends on the certificate;
a descrambling module configured to apply a reverse transformation function on the identifier of a fourth port to obtain an identifier of a third port, wherein the reverse transformation function depends on the certificate and is a reverse function of the transformation function;
an outgoing agent configured to obtain outgoing communications, wherein said outgoing agent is configured to invoke said scrambling module on an identifier constituting the identifier of said first target port, in an outgoing communication, to obtain an identifier of said second target port, wherein said outgoing agent is further configured to provide a modified outgoing communication to said communication module for being transmitted to a target device via the second target port, whereby if the target device is a member of the portion of the plurality of devices, the target device is enabled to perform reverse transformation on the identifier of the second target port to obtain the identifier of the first target port of the outgoing communication;
whereby if the target device is not a member of the portion of the plurality of devices, it becomes misled to relate to the modified outgoing communication as a communication being targeted to a port other than the first source port; and
an incoming agent configured to obtain incoming communications received by said communication module, wherein said incoming agent is configured to invoke said descrambling module on an identifier of a second source port of an incoming communication, wherein the incoming communication was transmitted by a source device, whereby an identifier of a first source port is obtained, wherein said incoming agent is further configured to output a modified incoming communication, wherein the modified incoming communication is directed at the first source port instead of the second source port, whereby if the source device is not a member of the portion of the plurality of devices, said device becomes misled to relate to the incoming communication as a communication being transmitted by the source device to a port other than the first target port.

US Pat. No. 10,397,195

METHOD AND SYSTEM FOR SHARED KEY AND MESSAGE AUTHENTICATION OVER AN INSECURE SHARED COMMUNICATION MEDIUM

Robert Bosch GmbH, Stutt...

1. A method for shared key generation with authentication comprising:generating, with a processor in a gateway node communicatively connected to a first node and a second node through a shared communication medium, a first set of pseudo-random data corresponding to expected transmissions from the first node based on a predetermined one-way function applied to a first shared key between the first node and the gateway node;
identifying, with the processor in the gateway node, a plurality of bits transmitted from the second node based on a plurality of signals received by a transceiver in the gateway node communicatively connected to the shared communication medium, the plurality of signals corresponding to a plurality of simultaneous transmissions from the first node and the second node to generate a shared key between the first node and the second node, each simultaneous transmission including the first node transmitting at least one first bit at a transmit time and the second node transmitting at least one second bit at the transmit time, wherein the at least one first bit and the at least one second bit are transmitted through the shared communication medium at the same time;
identifying, with the processor in the gateway node, a plurality of expected bit values for at least a portion of the second plurality of bits transmitted from the second node based at least in part on applying the predetermined one-way function to a combination of shared secret data between the gateway node and the second node stored in a memory of the gateway node with another set of random data generated by the second node;
authenticating, with the processor in the gateway node, the second node in response to the plurality of bits transmitted from the second node matching the plurality of expected bit values;
generating, with a random number generator in the gateway node, a plurality of random bits of data;
exchanging, with the transceiver in the gateway node the plurality of random bits with the first node by transmitting the plurality of random bits while receiving another plurality of random bits during simultaneous transmissions from the first node to produce a plurality of shared bits between the gateway node and the first node;
generating, with the processor in the gateway node, the first shared key between the gateway node and the first node by applying the one-way function to a combination of shared secret data between the gateway node and the first node stored in the memory of the gateway node and the plurality of shared bits between the gateway node and the first node;
generating, with the random number generator in the gateway node, a nonce value;
generating, with the processor in the gateway node, an encrypted version of the nonce value using the first shared key;
transmitting, with the transceiver in the gateway node, the encrypted version of the nonce value to the first node;
receiving, with the transceiver in the gateway node, a transformed nonce value from the first node, the transformed nonce corresponding to a predetermined numeric transformation applied to the nonce value by the first node after the first node decrypts the encrypted version of the nonce using the first shared key; and
authenticating, with the processor in the gateway node, the first node in response to the transformed nonce value received from the first node matching another transformed nonce value generated by the processor in the gateway node applying the predetermined numeric transformation to the nonce value generated by the random number generator in the gateway node.

US Pat. No. 10,397,194

DYNAMIC TRANSMISSION OF ENCRYPTED DATA

eBay Inc., San Jose, CA ...

1. A system comprising:a processor;
a communication interface coupled to the processor;
memory coupled to the processor and storing instructions that, when executed by the processor, cause the system to perform operations comprising:
receiving, via the communication interface, a data packet comprising encrypted data, the system not being located within a transmission range of a source computing device when the encrypted data packet is received by the system;
establishing, subsequent to receiving the encrypted data packet and in response to the system moving within the transmission range of the source computing device, communication with the source computing device via the communication interface;
in response to establishing communication with the source computing device, transmitting to the source computing device, via the communication interface, a request for decryption information for decrypting the encrypted data packet; and
based on receiving the decryption information from the source computing device, decrypting the encrypted data packet based on the decryption information.

US Pat. No. 10,397,193

BLIND CLOUD DATA LEAK PROTECTION

SONICWALL INC., Milpitas...

1. A method for blind data leak prevention, the method comprising:receiving at a first computing device that is external to a secure network:
a rule sent from a second computing device inside the secure network and encrypted based on a first encryption key, wherein the first encryption key is accessible to the second computing device but not accessible to the first computing device; and
encrypted data from the second computing device, wherein the received encrypted data is encrypted based on the first encryption key by:
identifying that the encryption based on the first encryption key occurs in byte groups of a predetermined number of bytes in size, and
applying the encryption a number of times corresponding to a predetermined number of bytes and resulting in a plurality of encrypted versions, each encrypted version beginning at an offset of a different number of bytes up to the predetermined number of bytes by:
identifying a final number of bytes in a last byte group of each encryption,
identifying that the identified final number of byes does not yet equal the predetermined number of bytes; and
prepending one or more preceding bytes to the last byte group until the final number of bytes equal the predetermined number of bytes; and
executing instructions stored in memory of the first computing device, wherein execution of the instructions by a processor of the first computing device:
evaluates the received encrypted data to identify that the received encrypted data corresponds to the rule, wherein the received encrypted data remains encrypted during the evaluation; and
processes the received encrypted data based on the identification that the received encrypted data corresponds to the rule, wherein the received encrypted data remains encrypted during processing.

US Pat. No. 10,397,192

REMOTELY ACCESSING DATA ON A SECURED SERVER

DvSum, LLC, Bethesda, MD...

1. A non-transitory tangible machine readable medium comprising instructions configured to cause at least one processor on an assistant computing device to perform a process comprising:a) receiving a request over a network from a requesting computing device to query a dataset located on a remote computing device, the remote computing device residing in a physically secured data center, the remote computing device not directly accessible to the assistant computing device;
b) identifying access credential requirements to allow the requesting computing device to access the remote computing device identified in the request;
c) identifying remote processing requirements for the remote computing device to access the dataset identified in the request;
d) generating access credentials, employing at least in part, the access credential requirements;
e) generating remote processing instructions, employing at least in part, the remote processing requirements, the remote processing instructions configured to be executable by the remote computing device to satisfy the request;
f) encrypting the access credentials to generate encrypted access credentials;
g) encrypting the remote processing instructions to generate encrypted remote processing instructions;
h) communicating the encrypted remote processing instructions to the requesting computing device;
i) communicating the encrypted access credentials to the requesting computing device;
j) receiving at least one set of encrypted results from the requesting computing device;
k) decrypting the encrypted results to obtain results;
l) generating a report of results; and
m) communicating the report to the requesting computing device.

US Pat. No. 10,397,191

PASSING CONTENT SECURELY FROM WEB BROWSERS TO COMPUTER APPLICATIONS

Adobe Inc., San Jose, CA...

1. A method of securing digital content passed between a web browser, a server, and a local application by extracting information embedded within digital file names, comprising:selecting, via a client device, one or more digital files from a remote server, the remote server requiring login credentials to access the one or more digital files and the one or more digital files corresponding to a native software application that requires access credentials to access the native software application;
upon providing the login credentials, receiving the one or more digital files, the one or more digital files comprising an identifier embedded within a file name of the one or more digital files;
in response to accessing the one or more digital files via the client device, utilizing the identifier embedded within the file name to automatically access the native software application by:
extracting the identifier embedded within the file name of the one or more digital files;
sending the identifier extracted from within the file name of the one or more digital files to one or more servers to obtain the access credentials required to access the native software application associated with the one or more digital files; and
using the access credentials to automatically access the native software application corresponding to the one or more digital files.

US Pat. No. 10,397,190

SYSTEM AND METHOD FOR GENERATING AN OBFUSCATED OPTICAL SIGNAL

HUAWEI TECHNOLOGIES CO., ...

1. A method performed at an optical transmitter comprising:receiving an optical signal carrying data for transmission;
performing a time-varying modification of the optical signal carrying the data to generate an obfuscated optical signal; and
transmitting the obfuscated optical signal;
wherein the time-varying modification is performed in accordance with a plurality of values corresponding to a respective plurality of values for use in at least partially deobfuscating the obfuscated optical signal to allow for detection of the data carried by the received optical signal; and
wherein the optical signal has a first polarization and a second polarization, and wherein performing the time-varying modification of the optical signal comprises applying a first time-varying modification to the first polarization, and when applying the first time-varying modification to the first polarization, either: applying no modification to the second polarization or applying a second modification, different from the first time-varying modification, to the second polarization.

US Pat. No. 10,397,189

PEERED VIRTUAL PRIVATE NETWORK ENDPOINT NODES

Amazon Technologies, Inc....

1. A system, comprising:a plurality of computing devices within a provider network to execute a plurality of virtual machines; and
one or more computing devices within the provider network and configured to execute a provisioning service and a health monitoring service;
wherein, in response to a request to a first application programming interface (API), the provisioning service is configured to launch a first fault tolerant virtual private network endpoint (VPNe) node as a pair of VPNe virtual machines on separate host computers within the provider network, wherein a first of the virtual machines within the pair is configured to communicate encrypted packets over a secure tunnel and a second virtual machine in the pair is synchronized to an encryption key used by the first virtual machine for encryption and decryption of packets sent and received over the secure tunnel;
wherein, in response to a request to a second API, the provisioning service is configured to create a second fault tolerant VPNe node as a pair of VPNe virtual machines on separate host computers and to peer the second fault tolerant VPNe node to the first fault tolerant VPNe node via the secure tunnel over a public network; and
wherein the health monitoring service is configured to determine a health status of the each of the virtual machines in each pair of virtual machines of the first and second fault tolerant VPNe nodes and, upon determination of a failure of a virtual machine of a given pair that is implementing the secure tunnel, initiate a fail-over to the other VPNe virtual machine of the pair.

US Pat. No. 10,397,188

ACCESS CONTROL APPARATUS, SYSTEM, AND METHOD

Huawei Technologies Co., ...

1. An apparatus comprising:a receiver configured to:
receive a first service chain forwarding rule from a controller, wherein the first service chain forwarding rule comprises a first service chain identifier corresponding to a terminal, and a first identifier of a first access network element, wherein the first identifier of the first access network element corresponds to the first service chain identifier; and
receive a first packet from a classifier, wherein the first packet carries a service chain identifier;
a processor configured to:
when the service chain identifier carried in the first packet matches the first service chain identifier in the first service chain forwarding rule, determine, according to the first identifier of the first access network element, that the first packet is to be sent to the first access network element; and
a transmitter configured to forward the first packet to the first access network element.

US Pat. No. 10,397,186

METHODS FOR INTERNET COMMUNICATION SECURITY

Stealthpath, Inc., Resto...

1. A product for securing communication between at least two networked computing devices, the product comprising at least one non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code when executed on the at least two networked computing devices performs communication management operations on the at least two networked computing devices, the communication management operations comprising:i) forming a configured communication pathway by configuring a pre-established communication pathway to be limited to dedicated communication of application data between a networked first user-application on a first computing device and a second user-application on a networked second computing device via a series of transport layer ports that are dedicated to communication of the application data, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising:
a) executing application space commands by the first user-application on the first computing device, comprising:
I) causing a network stack of the first computing device to send a first configuration packet from the first user-application to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet;
II) receiving, after the network stack sends the first configuration packet, a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet;
III) confirming that the second computing device is authorized to communicate with the first user-application, comprising: matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device;
IV) further causing the network stack to send a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is unique to the first user-application, the first user, one or more content requirements for the application data, and a series of port numbers assigned to the series of dedicated transport layer ports;
V) further receiving, after the network stack sends the third configuration packet, a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and
VI) further confirming that the second user-application is authorized to receive the application data from the first user-application, comprising: further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is unique to the second user-application, the second user, the one or more content requirements for the application data, and the series of port numbers; and
b) further executing kernel space commands on the second computing device to verify that the second user-application is authorized to receive the application data from the first user-application, comprising: obtaining the nonpublic first user-application identifier from the application layer portion of the third configuration packet and matching the obtained nonpublic first user-application identifier to a preconfigured nonpublic first user-application code; and
ii) transmitting the application data via the configured communication pathway from the first user-application to the second user-application.

US Pat. No. 10,397,185

SCALABLE CLOUD HOSTED METADATA SERVICE

EMC IP HOLDING COMPANY LL...

1. A system for protecting data in a cloud environment, the system comprising: one or more hardware processors; and a plurality of services comprising computer-executable instructions that, when executed by one or more hardware processors, protect the data, the services including: a gateway service configured to receive a request from a client; a plurality of queues, the plurality of queues including a global request queue and a session request queue; a stream service configured to receive the request from the gateway service, wherein the stream service is configured to evaluate headers included in the request and place the request in one of the plurality of queues based on the header; and a plurality of workers, wherein any of the plurality of workers can service the request when the request is placed in the global request queue and wherein only a particular worker associated with a session associated with the session request queue can service the request when the request is in the session request queue.

US Pat. No. 10,397,184

MOBILITY MANAGEMENT USING IDENTIFIER-LOCATOR ADDRESSING (ILA)

Verizon Patent and Licens...

1. A device, comprising:one or more processors to:
receive, from a network device, a request to establish an internet protocol (IP) session for a user device;
allocate at least one of:
an IP address for the user device, or
a first tunnel endpoint identifier associated with a tunnel that is to be used during the IP session,
the IP address including:
 a first set of bits associated with a location identifier, and
 a second set of bits associated with a device identifier;
provide a response to the network device to cause the network device to establish an uplink portion of the IP session,
the response including at least one of:
the IP address, or
the first tunnel endpoint identifier;
receive, from the network device, a request that includes a second tunnel endpoint identifier associated with the tunnel,
where the second tunnel endpoint identifier is associated with establishing a downlink portion of the IP session;
provide at least one of the IP address, the first tunnel endpoint identifier, or the second tunnel endpoint identifier to be stored using a data structure;
provide a response to the network device to cause the network device to establish the downlink portion of the IP session; and
perform one or more actions associated with managing the IP session,
where one or more of the IP address, the first tunnel endpoint identifier, or the second tunnel endpoint identifier are used to make routing decisions during the IP session.

US Pat. No. 10,397,183

METHOD AND SYSTEM FOR ENABLING MEDIA OPTIMIZATION IN A CLOUD CONFERENCE

Cisco Technology, Inc., ...

1. An endpoint operable with a network device and a conference controller, the endpoint comprising:a processor; and
a memory communicatively coupled to the processor, wherein the memory stores processor-executable instructions, which, on execution, cause the processor to:
send a relay address allocation request comprising a unique session identifier to the network device, wherein the unique session identifier identifies a conference session joined by the endpoint for media streaming;
receive a relay address allocation response from the network device in response to sending the relay address allocation request, wherein the relay address allocation response comprises at least a relay candidate that includes a relay transport address allocated to the endpoint and is mapped with the unique session identifier;
send a session offer message to the conference controller, wherein the session offer message comprises at least the relay transport address to be used as a destination address for the endpoint;
receive a session response message from the conference controller in response to sending the session offer message, wherein the session response message comprises an IP address of the conference controller mapped with the relay candidate;
send a create permission request to the network device, wherein the create permission request comprises the IP address of the conference controller as source address for receiving the one or more media stream packets by the network device;
receive a permission response from the network device confirming the validity of the IP address of the conference controller as source IP address;
send a channelbind request to the network device, wherein the channelbind request comprises a unique channel number of a channel available for binding;
receive a channelbind response from the network device indicating binding of the channel having the unique channel number for receiving the one or more media stream packets from the network device; and
receive one or more media stream packets relayed from the network device via the destination address identified by the unique session identifier.

US Pat. No. 10,397,182

METHOD AND PROCEDURE TO IDENTIFY A SOURCE ACROSS A NETWORK ADDRESS TRANSLATION DEVICE

Sprint Communications Com...

1. A computerized method carried out by at least one server having one or more processors for identifying, to an external device, a client device having an external IP address assigned by a Network Address Translation (NAT) device, the method comprising:receiving, at a NAT device, a request from a client device to access an external device;
providing, by the NAT device, an external IP address assigned to the client to access the external device;
communicating, by the NAT device, an internal IP address assigned to the client device and placed in an option field of the external IP address;
providing, by the NAT device, a second external IP address assigned to the client to access the external device;
communicating, by the NAT device, the internal IP address assigned to the client device in the option field of the external IP address;
receiving, at the NAT device, a second request from the external device to communicate with the client device, the second request including the internal IP address assigned to the client device;
receiving the second request, at the client mapping repository, for the identification of the client device; and
communicating, from the client mapping repository, the identification of the client device.

US Pat. No. 10,397,181

ADDRESS BOOK INFORMATION SERVICE SYSTEM, AND METHOD AND DEVICE FOR ADDRESS BOOK INFORMATION SERVICE THEREIN

SK PLANET CO., LTD., Seo...

1. A service device comprising:a communicator configured to communicate with a plurality of terminal devices via a communication network;
a memory configured to store event information generated between the plurality of terminal devices; and
a controller configured to, when a terminal device of a first user transmits, to the communicator, a request for interest information corresponding to a second user:
collect event information generated between the terminal device of the first user and a terminal device of the second user;
identify whether activity information of the second user is publicly available;
display, on the terminal device of the first user, the identified activity information of the second user and the collected event information in a reverse chronological order when it is identified that the activity information of the second user is publicly available;
display, on the terminal device of the first user, only the collected event information in the reverse chronological order when it is identified that the activity information of the second user is not publicly available;
analyze the interest information common to the first user and the second user based on the collected event information and the identified activity information by extracting a pre-stored keyword from a content of the collected event information and a content of the identified activity information when the identified activity information and the collected event information are displayed in the reverse chronological order;
analyze the interest information based only on the collected event information when the collected event information is displayed in the reverse chronological order;
identify a predetermined icon corresponding to the analyzed interest information; and
display the predetermined icon on the terminal device of the first user.

US Pat. No. 10,397,180

DNS RENDEZVOUS LOCALIZATION

Level 3 Communications, L...

1. A method of serving content comprising:obtaining a portional use relationship between a plurality of client devices within a first autonomous system and a plurality of resolvers within the first autonomous system;
obtaining a distance relationship between the plurality of client devices and a plurality of content serving locations in a second autonomous system, the distance relationship with respect to at least one egress gateway of the second autonomous system and to which content from at least one of the content serving devices egresses to the first autonomous system; and
obtaining a network relationship between the plurality of resolvers and the plurality of content serving locations using the portional use relationship and the distance relationship, the relationship used to resolve a content request from the plurality of client devices.

US Pat. No. 10,397,179

SYSTEMS AND METHODS FOR LOCALIZATION BASED ON INTERNET TERMINAL LOCATION

HUGHES NETWORK SYSTEMS, L...

1. A gateway, comprising:one or more non-transitory computer-readable mediums operatively coupled to one or more processors, and having instructions stored thereon that, when executed by the one or more processors, cause the gateway to:
maintain a first IP address range associated with a first geographic area serviced by the gateway and a second IP address range associated with a second geographic area serviced by the gateway, wherein the second geographic area is different from the first geographic area;
receive a request from each of a first subscriber and a second subscriber serviced by the gateway, wherein the first subscriber is located within the first geographic area, and wherein the second subscriber is located within the second geographic area;
determine an appropriate source IP address to use in servicing the request of the first subscriber based on a first geographic area-specific policy for the first geographic area; and
determine an appropriate source IP address to use in servicing the request of the second subscriber based on a second geographic area-specific policy for the second geographic area.

US Pat. No. 10,397,178

INTERNET INFRASTRUCTURE SURVEY

Citrix Systems, Inc., Fo...

1. A method for surveying Internet access quality, comprising:receiving at a DNS nameserver a DNS query for the resolution of a pseudo-hostname, wherein the pseudo-hostname is a fully qualified domain name (FQDN) that comprises an indicator of an access quality measurement and a parameter identifying an infrastructure associated with the access quality measurement;
extracting, from the pseudo-hostname, data including the indicator of the access quality measurement and the parameter identifying the infrastructure associated with the access quality measurement; and
generating an access quality profile using the extracted data.

US Pat. No. 10,397,177

MATTER MESSAGE NOTIFICATION METHOD, APPARATUS, AND DEVICE

TENCENT TECHNOLOGY (SHENZ...

1. An event message notification method performed at a terminal having one or more processors and memory storing one or more programs to be executed by the one or more processors, the method comprising:displaying a group chat interface in an instant messaging application, the group chat interface including an affordance for opening an event message editing interface;
in response to detecting a triggering event associated with the affordance:
displaying the event message editing interface, the event message editing interface including an editing item used for editing event content, an editing item used for adding a target user, and an editing item used for adding a file;
generating an event message in accordance with user-provided event content through the editing item used for editing the event content, one or more user-selected target users selected from participants of the group chat through the editing item used for adding a target user, and one or more user-selected files through the editing item used for adding a file;
adding a confirmation tag to the generated event message to indicate that only the user-selected target users are prompted to instantly view and confirm receipt of the event message;
sending the event message and the confirmation tag to a server, wherein the server performs steps including:
sending, by the server, the event message with a prompting tag corresponding to the confirmation tag to only the user-selected target users so that the user-selected target users are prompted to instantly view and confirm receipt of the event message; and
sending, by the server, the event message without the prompting tag to participants other than the user-selected target users in the group chat; and
receiving, by the server, acknowledgement notifications from each of the user-selected target users, wherein a respective acknowledgement notification is received by the server from a corresponding user-selected target user after the corresponding user-selected target user opens and acknowledges receipt of the event message; and
receiving, by the terminal from the server, a notification indicating all the user-selected target users have opened and acknowledged the receipt of the event message.

US Pat. No. 10,397,176

METHOD AND SYSTEM FOR INTERWORKING OF RCS UNIVERSAL PROFILE AND PRE-UNIVERSAL PROFILE CLIENTS

Syniverse Technologies, L...

1. A system for enabling communication between a Rich Communication Services (RCS) Universal Profile (UP) client and a Pre-Universal Profile (Pre-UP) client, the system comprising:an Interworking Function (IWF) interfacing with a Controlling Function of a first network operator and a Participating Function of a second network operator, the IWF comprising:
a Session Initiation Protocol (SIP) Application Server (AS) configured to receive an incoming Session Initiation Protocol (SIP) message from the Controlling Function of the first network operator, wherein the SIP AS is configured to execute actions selected from the group consisting of translating the incoming SIP message to a SIP INVITE message for interworking between a Converged Internet Protocol Messaging System (CPM) Standalone Message Pager Mode and a CPM 1-to-1 Chat, proxying the SIP INVITE message between the first network operator and the second network operator for interworking between a CPM Standalone Message Large-Message Mode and the CPM 1-to-1 Chat, proxying the SIP INVITE message between the first network operator and the second network operator for interworking between the CPM Chat and an Instant Message and Presence Leveraging Extension (IM/SIMPLE) Chat, translating the SIP INVITE message to the SIP message for interworking between a Message Session Relay Protocol (MSRP) File Transfer and a HyperText Transfer Protocol (HTTP) File Transfer, sending the SIP message containing a notification of a Uniform Resource Locator (URL) for interworking between the HTTP File Transfer and the MSRP File Transfer, and proxying the SIP INVITE message between the first network operator and the second network operator for interworking between an Open Group Chat (OGC) and a Closed Group Chat (CGC); and
a Message Session Relay Protocol (MSRP) Server configured to send an outgoing MSRP message to the second network operator, the MSRP Server configured to execute actions selected from the group consisting of initiating a MSRP session toward the second network operator for interworking between the CPM Standalone Message Pager Mode and the CPM 1-to-1 Chat, proxying the MSRP session between the first and the second network operators for interworking between the CPM Standalone Message Large-Message Mode and the CPM 1-to-1 Chat, proxying the MSRP session between the first and the second network operators for interworking between the CPM Chat and the IM/SIMPLE Chat, and establishing a MSRP client for sending a file from the first network operator to the second network operator for interworking between the HTTP File Transfer to the MSRP File Transfer.

US Pat. No. 10,397,175

COMMUNICATION CHANNEL SELECTION AND USAGE

INTERNATIONAL BUSINESS MA...

1. A method of electronic communication between a plurality of devices, comprising:determining, using a processor, a required answer time for an electronic message;
determining, using the processor, a plurality of expected response times, wherein each expected response time is specific to a recipient of the electronic message and is specific to one of a plurality of different communication channels;
matching, using the processor, the required answer time to an expected response time;
selecting, using the processor, a communication channel from the plurality of different communication channels based upon the matching; and
initiating sending, using the processor, of the electronic message to a device of the recipient using the selected communication channel.

US Pat. No. 10,397,174

MESSAGE DELIVERY IN A MESSAGE SYSTEM

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method of controlling message delivery from a publisher application to one or more subscriber applications of a messaging system, the one or more subscriber applications having a plurality of subscriptions registered with a broker application of the messaging system, the method comprising:generating a unified subscription description representing the plurality of registered subscriptions based on at least one stored intermediate subscription description, wherein each intermediate subscription description represents one or more registered subscriptions;
determining that a particular subscription of the plurality of subscriptions has been registered, unregistered, or altered;
generating a new intermediate subscription description, the new intermediate subscription description representing at least the particular subscription;
determining that a stored intermediate subscription description represents at least one same subscription as the new intermediate subscription description,
replace the stored intermediate subscription description with the new intermediate subscription description without altering any other stored intermediate subscription description;
generating an updated unified subscription description based at least in part on the new intermediate subscription description; and
communicating the updated unified subscription description to the publisher application.

US Pat. No. 10,397,173

TAGGED MESSAGES TO FACILITATE ADMINISTRATION OF A VIRTUALIZATION INFRASTRUCTURE

VMware, Inc., Palo Alto,...

1. A computer-implemented method to facilitate administration of a virtualization infrastructure, the computer-implemented method comprising:providing members of the virtualization infrastructure with access to a shared message stream of a social network such that the members of the virtualization infrastructure are able to monitor messages generated by other members of the virtualization infrastructure posted to the shared message stream, wherein at least some of the messages are indicative of operational conditions of particular other members which generated the messages, wherein the members of the virtualization infrastructure comprise a plurality of virtual machines, and wherein the members of the virtualization infrastructure are arranged in a hierarchy within the social network based on a parent/child relationship of the members;
displaying posted messages of non-human members of the virtualization infrastructure within the shared message stream, the non-human members comprising the plurality of virtual machines, wherein the posted messages comprise tags identifying operational conditions of the non-human members of the virtualization infrastructure, and wherein at least one posted message comprises an association with an indication that at least one non-human member identifies with the specific operational condition of the posted message; and
responsive to a selection of a particular tag, displaying the non-human members of the virtualization infrastructure that posted a message comprising the particular tag.

US Pat. No. 10,397,172

SYSTEM AND METHOD FOR SOCIAL AWARENESS TEXTILES

International Business Ma...

1. A computer-implemented method comprising:identifying attribute information of at least a first wearable associated with an outfit of a user;
receiving, via a user interface, an indication designating the first wearable as a master arbiter, wherein the master arbiter is a predetermined focus of the outfit and determines whether one or more portions of the outfit associated with at least a second wearable are recommended for wearing with a portion of the outfit associated with the master arbiter;
receiving information about an event, wherein the information about the event is based upon, at least in part, a location of the event and a crime rate associated with the location of the event, wherein the crime rate is received via a national crime data store; and
sending an electronic message to the user when at least a portion of the outfit is not recommended for wearing at the event based upon, at least in part, the attribute information of the first wearable, the second wearable, and the information about the event,
wherein sending the electronic message to the user when the one or more portions of the outfit is not recommended for wearing at the event is based upon, at least in part,
the location of the event and the crime rate associated with the location of the event,
identifying that the user is inclined to travel a specific route and take a specific mode of transportation to the event, and the crime rate associated with the specific route and the specific mode of transportation to the event,
identifying the one or more portions of the outfit that would make the user vulnerable to a robbery at, at least one of, the event, the specific route to the event, and the specific mode of transportation to the event, and
whether the one or more portions of the outfit are likely targets to the robbery.

US Pat. No. 10,397,171

MANAGING CONTENT DISCLOSURE ON SOCIAL NETWORKING SITES

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method for managing content disclosure on social networking sites, the method comprising:monitoring, using a processor, user-generated content and one or more social network connections of a user viewing or listening to the user-generated content, the one or more social network connections comprising a first connection and a second connection;
classifying, using the processor, the user-generated content into one or more content types;
determining, using the processor, a positive mood of the first connection based on a reaction of the first connection to the user-generated content and a negative mood of the second connection based on a reaction of the second connection to the user-generated content;
associating, using the processor, the first connection with a first label indicative of the positive mood and the second connection with a second label indicative of the negative mood;
receiving, using the processor, further user-generated content;
determining, using the processor, one or more further content types from the further user-generated content;
generating, using the processor, a recommendation to share the further content with the first connection, wherein the recommendation is based on the first label and the determined one or more further content types; and
generating, using the processor, a recommendation to not share the further content with the second connection, wherein the recommendation is based on the second label and the determined one or more further content types.

US Pat. No. 10,397,170

COMMUNICATION INVERSION FOR ONLINE COMMUNITIES

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method, comprising:detecting, by a computing device, that one or more parameters indicating a vitality of an online community are below a predetermined threshold value, indicating that the online community has an unacceptable vitality, wherein the online community enables communication between a first group of participants;
determining, by the computing device and based on the detecting that the online community has the unacceptable vitality, an existing related online community is associated with the online community, wherein the existing related online community enables communication between a second group of participants;
detecting, by the computing device, a participant communication within the related online community;
redirecting, by the computing device, the participant communication to the online community based on the determining that the online community has the unacceptable vitality;
detecting, by the computing device, that a predetermined rule is met indicating that the redirecting of communications should end, wherein the predetermined rule is a rule to end the redirecting of communications when the computer device no longer detects that the online community has the unacceptable vitality or after a predetermined period of time has elapsed; and
ending, by the computing device, the redirecting of participant communications from the related online community to the online community.

US Pat. No. 10,397,169

SYSTEMS AND METHODS FOR PROVIDING COMMUNICATION ITEMS FROM AN ENTITY ASSOCIATED WITH A SOCIAL NETWORKING SYSTEM

Facebook, Inc., Menlo Pa...

1. A computer-implemented method comprising:defining, by a computing system, a communication item associated with a social networking system, including a plurality of parameters that are each associated with one or more possible values;
generating, by the computing system, a plurality of variants of the communication item on the social networking system based on a full factorial combination of values associated with the plurality of parameters;
determining, by the computing system, a first set of weights associated with the plurality of variants, each weight in the first set of weights associated with a variant of the plurality of variants;
providing, by the computing system, each variant of the plurality of variants to a proportion of a first group of users that corresponds to a weight in the first set of weights associated with the variant;
obtaining, by the computing system, data relating to performance of each variant on a corresponding proportion of the first group;
determining, by the computing system, a second set of weights associated with the plurality of variants, each weight in the second set of weights associated with a variant of the plurality of variants and a weight in the first set of weights associated with the variant, wherein each weight in the second set is determined based on the associated weight in the first set of weights and the performance of the associated variant from the first group of users; and
providing, by the computing system, each variant of the plurality of variants on the social networking system to a proportion of a second group of users that corresponds to a weight in the second set of weights associated with the variant.

US Pat. No. 10,397,168

CONFUSION REDUCTION IN AN ONLINE SOCIAL NETWORK

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method comprising:identifying elements in social media message content, the social media message content comprising a posted message posted to a social media platform;
determining whether the social media message content is indefinite as to an audience being targeted, the determining whether the social media message content is indefinite as to an audience being targeted comprising predicting a likelihood of confusion based on the social media message content, wherein the prediction of the likelihood of confusion is based on an age of the posted message, in which the older the post, the higher the predicted likelihood of confusion;
determining, based on the identified elements, a plurality of different candidate audiences to which the social media message content is potentially targeted, each candidate audience of the plurality of difference candidate audiences ascertained based on a respective corresponding contextual understanding, of a plurality of different contextual understandings, given to the social media message content, wherein the determining the plurality of different candidate audiences comprises:
building a respective dictionary for each user of a plurality of users of a social media platform in which the social media message content is composed, wherein a dictionary for a given user of the plurality of users comprises elements include in prior-composed social media messages composed by the given user;
ascertaining a frequency of the elements included in prior-composed social media messages composed by each user;
building a clustered representation of the social media platform using k-means against the frequency of the elements;
querying a message space for social media messages based on the social media message content; and
identifying dense k-clusters based on the social media message content, the dense k-clusters corresponding to the plurality of different candidate audiences;
indicating to a user the plurality of candidate audiences and, for each candidate audience of the plurality of different candidate audiences, a suggested one or more additional elements to apply to the social media message content to provide additional context for the social media message content and thereby tailor the social media message content to an audience of the plurality of different candidate audiences and corresponding contextual understanding; and
modifying the social media message content with the one or more additional elements for a target audience of the plurality of different candidate audiences, the modifying adding the one or more additional elements to the social media message content and targeting the social media message content to the target audience.

US Pat. No. 10,397,167

LIVE SOCIAL MODULES ON ONLINE SOCIAL NETWORKS

Facebook, Inc., Menlo Pa...

1. A method comprising, by one or more computing devices:receiving, at the one or more computing devices from a client system associated with an author-user of an online social network, instructions for publishing a first post composed by the author-user, the first post comprising a content of the first post and a metadata associated with the first post;
extracting, by the one or more computing devices, one or more n-grams from the content of the first post and the metadata associated with the first post;
determining, by the one or more computing devices, whether the first post is associated with a topic based on whether one or more of the extracted n-grams are associated with the topic;
identifying, by the one or more computing devices, a plurality of second users of the online social network, wherein each second user is a first-degree connection of the author-user within the online social network;
identifying, by the one or more computing devices, one or more of the second users as a subscribing user to the topic based on a determination that the second user is accessing a page associated with the topic;
generating, by the one or more computing devices, for each identified second user, a live social module associated with the topic for presenting, in real-time, posts shared on the online social network;
sending, by the one or more computing devices, to a respective client system of each identified second user, information configured to render a search-results page comprising the live social module, wherein the live social module is configured to be rendered in conjunction with a link associated with the topic, and wherein the live social module comprises an interface that displays, in real-time responsive to the receiving of the first post:
the content of the first post, and
identifying information that is associated with the author-user;
receiving, by the one or more computing devices, a plurality of additional posts composed by users of the online social network, each additional post being associated with the topic;
pushing, in response to receiving the plurality of additional posts, at a first time interval, by the one or more computing devices to the respective client system of each second user, information configured to display content of one or more of the additional posts in the interface of the live social module; and
sending, at each of a plurality of subsequent time intervals, by the one or more computing devices to the respective client system of each second user, information configured to refresh, in real-time responsive to the pushing of the one or more additional posts, the interface of the live social module with another post associated with the topic.

US Pat. No. 10,397,166

SAVING COMMUNICATION CONTENT TO A SOCIAL NETWORK ENVIRONMENT

International Business Ma...

1. A method for making individual communication content accessible to an organizational community, comprising the computer-implemented steps of:receiving, over a network, communication data from a plurality of input source streams in a chat session, wherein the communication data includes a temporal sequence of communications between at least two participants;
removing from a text-based content of the communication data an excluded message based on a designation from a participant of the at least two participants;
automatically generating one or more tags based on the text-based content of the communication data based on frequency of words used after excluding a predefined list of words and automatically tagging individual elements within the text-based content with the one or more tags that enable searching of the individual elements;
automatically saving, in response to a conclusion of the chat session, communication content from the chat session with the one or more automatically generated tags persisted therein directly to a social network profile in a social network of the organizational community, the social network being unrelated to the plurality of input source streams, wherein the communication content is derived from the communication data and includes a copy of an entirety of the text-based content that has not been excluded that is tagged with the one or more tags; and
transforming the communication content in the social network to a trusted source by time stamping the communication content in a non-editable format.

US Pat. No. 10,397,165

TECHNIQUES FOR RELIABLE MESSAGING FOR AN INTERMEDIARY IN A NETWORK COMMUNICATION ENVIRONMENT

Oracle International Corp...

1. A method comprising:receiving, by an intermediary communication system, from a source, a first message to send to a destination, wherein the first message includes a first message identifier or information to generate the first message identifier;
sending, by the intermediary communication system, the first message to the destination;
storing, by the intermediary communication system, the first message identifier for the first message;
receiving, by the intermediary communication system, from the source, a second message to send to a destination, wherein the second message includes a second message identifier or information to generate the second message identifier;
determining, by the intermediary communication system, a message sequence number of the second message, wherein the message sequence number is based on a sequence of communication of the second message using a communication protocol;
determining, by the intermediary communication system, based upon a comparison of the first message identifier of the first message to the second message identifier of the second message, whether the second message is a duplicate of the first message;
upon determining that the second message is not a duplicate of the first message, generating, by the intermediary communication system, a new message identifier to be associated with the second message based on the message sequence number and the second message identifier, sending, by the intermediary communication system, the message to the destination, and storing, by the intermediary communication system, the new message identifier for the second message;
upon determining that the second message is a duplicate of the first message, determining, by the intermediary communication system, a delivery status associated with the first message based upon the first message identifier;
upon determining the delivery status includes an acknowledgement by the destination that the first message was received by the destination, notifying, by the intermediary communication system, the source of the delivery status and preventing, by the intermediary communication system, the second message from being sent to the destination; and
upon determining the delivery status does not include an acknowledgement by the destination that the first message was received by the destination, performing, by the intermediary communication system, one or more actions related to facilitating the first message being sent to the destination.

US Pat. No. 10,397,164

DEPUTIZING AGENTS TO REDUCE A VOLUME OF EVENT LOGS SENT TO A COORDINATOR

QUEST SOFTWARE INC., Ali...

1. A computer-implemented method, comprising:determining, by a processor, that a coordinator is in an overloaded state;
responsive to determining that the coordinator is in the overloaded state, transitioning from a normal mode of operation to a deputized mode of operation;
identifying, by the processor, a plurality of software agents;
sending a first message to the plurality of software agents indicative of the coordinator being in the overloaded state; and
receiving, by the processor, a second message that an agent of the plurality of software agents has been selected to be a deputized agent for the plurality of software agents.

US Pat. No. 10,397,163

THIRD PARTY APPLICATION CONFIGURATION FOR ISSUING NOTIFICATIONS

Google LLC, Mountain Vie...

1. A computer-implemented method comprising:transmitting, by one or more processors, a request to register a user device and an application configured to be executed by the user device with one or more data sources, the request comprising timing permissions indicating when content is to be received for the application and data format information indicating a particular data format to be used for information provided to the application;
determining one or more trigger events associated with the registered application based on a type of the application;
receiving event information from the one or more data sources, and
determining that one of the one or more trigger events associated with the registered application has occurred based on the event information received from the one or more data sources;
in response to determining that one of the one or more trigger events has occurred, determining, by the one or more processors and using one or more neural networks, whether to output a notification including data corresponding to the event information based on one or more criteria, the one or more criteria including the timing permissions, the particular data format, and the user preferences;
in response to determining that the one or more criteria is satisfied, determining to output the notification including data corresponding to the event information; and
providing, by the one or more processors, the notification including the data corresponding to the event information to a display of a user device.

US Pat. No. 10,397,162

SENDING NOTIFICATIONS TO MEMBERS OF SOCIAL GROUP IN A SOCIAL NETWORKING SYSTEM

Facebook, Inc., Menlo Pa...

1. A computer implemented method comprising:maintaining, by a social networking system, a group having a plurality of members, each member being one of a plurality of users of the social networking system, the group being a subset of the plurality of users of the social networking system;
receiving one or more posts from one or more members of the group, the posts directed to the group;
identifying a subject user from the plurality of members of the group for sending a notification to the subject user about one or more of the received posts;
determining whether to send the notification about one or more of the received posts to the subject user based on at least a seniority of the subject user in the group, the seniority of the subject user is measured as a rank of the subject user based on a number of members who joined the group before the subject user, the determination comprising:
responsive to the rank of the subject user exceeding a threshold value, determining to send the notification about one or more of the received posts to the subject user based on whether of the member sending the one or more posts is connected to the subject user in the social networking system; and
responsive to determining to send the notification about one or more of the received posts to the subject user:
generating the notification about one or more of the received posts, and
sending the generated notification about one or more of the received posts to the subject user.

US Pat. No. 10,397,161

ELECTRONIC MAIL (EMAIL) MESSAGE LIFECYCLE MANAGEMENT

QUEST SOFTWARE INC., Ali...

1. A computer-implemented method, comprising:selecting, by a message lifecycle engine, an inbox of an email client application associated with an employee in an enterprise;
displaying, by an email client, a sender lifecycle user interface to a sender of the email;
displaying, by the email client, a plurality of sender parameters, wherein the plurality of sender parameters comprise: a do not forward parameter, a security tag parameter, a classification parameter, a temporary delete parameter, a permanent delete parameter, an expiry date parameter, a read/unread parameter, and a time period parameter;
receiving, by the email client, a selection including at least one of the plurality of sender parameters;
creating, based on the selection, a particular sender rule of one or more sender rules, the particular sender rule identifying conditions that when satisfied cause the email to be deleted;
associating, by the email client, the particular sender rule with the email; and
deleting, by the message lifecycle engine, an email in the inbox based at least in part on:
the one or more sender rules associated with the email;
one or more system rules associated with an email system used by the enterprise;
one or more user rules associated with the email, the one or more user rules created based on an analysis of user behavior; and
one or more data loss prevention (DLP) policies.

US Pat. No. 10,397,160

METHOD TO PRE-SELECT FOLDERS TO SYNCHRONIZE DURING INITIAL EMAIL ACTIVATION ON A MOBILE DEVICE

BLACKBERRY LIMITED, Wate...

1. A method implemented by a processor of a mobile device for synchronizing the mobile device with an email mailbox on a mail server, the method comprising:generating a search query for execution at the mail server to identify a predetermined number of most recently received email messages that are currently stored on the mail server and that were previously moved from an inbox folder associated with the email mailbox to be filed in at least one non-inbox folder of the email mailbox, the search query being set to exclude messages currently stored in the inbox folder;
transmitting the search query to the mail server;
selecting one or more first non-inbox folders of the email mailbox on the mail server to synchronize locally on the mobile device, the selecting including:
for each of the non-inbox folders, attributing weights to a plurality of usage pattern metrics for that non-inbox folder, the plurality of usage pattern metrics including a count of identified email messages associated with that non-inbox folder and a date of last access for identified email messages associated with that non-inbox folder, and
selecting the one or more first non-inbox folders to synchronize locally based on the weighted usage pattern metrics for the non-inbox folders of the email mailbox;
retrieving, from the mail server, one or more email messages residing in the selected first non-inbox folders on the mail server;
creating account folders for an account corresponding to the email mailbox in a mail client application on the mobile device, the account folders corresponding to the selected first non-inbox folders of the email mailbox on the mail server; and
synchronizing the created account folders with at least portions of the retrieved email messages.

US Pat. No. 10,397,159

SYSTEMS, APPARATUSES, AND METHODS FOR PRESENTING CONTACTS BY PROJECT

1. A method for addressing message recipients in a messaging graphical user interface, the method comprising:displaying a messaging graphical user interface screen including a project selection field, which displays a plurality of project identifiers, a recipients field, and a message input field in which a user creates a message including text;
receiving a user selection of a project identifier from the plurality of project identifiers in the project selection field;
in response to receiving the user selection of the project identifier, retrieving a list of recipients including a first plurality of recipients that play roles on the identified project and a second plurality of recipients that do not play a role on the identified project;
in response to retrieving the list of recipients displaying, in a drop-down list of the recipients field in the messaging graphical user interface screen, the first plurality of recipients and the second plurality of recipients, wherein each recipient in the drop-down list has at least one address, and wherein the first plurality of recipients are arranged in order according to the roles played by the first plurality of recipients on the project and the second plurality of recipients are displayed below the first plurality of recipients in the drop-down list of the recipients field;
for each recipient of the first plurality of recipients listed, displaying a role identifier adjacent to the each recipient's address to indicate the each recipient's played role on the identified project;
receiving a user selection of one or more recipients from the drop-down list of the recipients field; and
adding the address of each selected recipient to the recipients field as the message recipients.

US Pat. No. 10,397,158

E-MAIL PROXY

BlackBerry Limited, Wate...

1. A method performed by a network email entity, the method comprising:receiving, at the network email entity from a sender, a body of a multipart email message destined to an email client and header information for an attachment of the multipart email message but without the attachment itself, wherein the attachment is encoded to prevent exposure of control information in the attachment to one or more servers which pass the email message through the Internet;
processing, at the network email entity, the multipart email message according to a preference, the preference indicating that the attachment be removed from the multipart email message and substituted with a link configured to, when selected, cause retrieval of the attachment from the network email entity;
sending, from the network email entity, a formatted email message to the email client, the formatted email message including the body of the multipart email message and including the link to cause retrieval of the attachment from the network email entity;
receiving, at the network email entity, an indication from the email client after the sending, the indication being a request for retrieval of the attachment according to a selection of the link included in the formatted email message;
in response to the receiving the indication from the email client after the sending the formatted email message, downloading, at the network email entity, the attachment according to the selection of the link included in the formatted email message;
decoding, at the network email entity, the attachment into an original content type of the attachment; and
sending, from the network email entity to the email client, the decoded attachment in a streamed manner without encoding for displaying of the decoded attachment at the email client before an entirety of the decoded attachment is received by the email client.

US Pat. No. 10,397,157

MESSAGE MANAGEMENT IN A SOCIAL NETWORKING ENVIRONMENT

International Business Ma...

1. A computer-implemented method for message management utilizing a social networking environment, the method comprising:detecting, in the social networking environment, a message pertaining to multiple anticipated activities;
analyzing the message to identify relevant actionable portions of the message corresponding with each of the anticipated activities, wherein each of the identified relevant actionable portions indicate one or more operations associated with each of the anticipated activities;
determining, for each recipient of the message, a list of the associated operations, wherein completion of each of the anticipated activities depends on the performance of one or more of the associated operations,
assigning each of the associated operations to respective recipients of the message based on a similarity between a set of user profile data for each recipient and each of the associated operations, wherein different associated operations are assigned to different recipients based on a respective set of user profile data for each recipient;
providing, in the social networking environment, a candidate user action for each of the assigned associated operations to the respective recipients of the message; and
executing, in the social networking environment, each of the associated operations based on each recipient's response to respective candidate user actions.

US Pat. No. 10,397,156

PROVIDING MESSAGE STATUS NOTIFICATIONS DURING ELECTRONIC MESSAGING

Facebook, Inc., Menlo Pa...

1. A method comprising:maintaining, by at least one server device of a communication system, a communication thread comprising a chronologically ordered plurality of electronic messages exchanged between a first participant and a second participant;
receiving, from a device associated with the first participant, a first electronic message;
adding the first electronic message to the communication thread;
detecting, based on data received from a device associated with the second participant, that the second participant has accessed the first electronic message; and
in response to detecting that the second participant has accessed the first electronic message, causing the device associated with the first participant to move an access notification element associated with the second participant from a previous position to a position adjacent to the first electronic message in a user interface for the communication thread.

US Pat. No. 10,397,155

SYSTEM AND METHOD FOR SENDING, DELIVERY AND RECEIVING OF DIGITAL CONTENT

Open Text SA ULC, Halifa...

1. A content delivery system, comprising:a processor;
a non-transitory computer readable memory, comprising instructions executable on the processor for:
implementing a sender to:
receive first content associated with a first destination identifier associated with a first delivery method, wherein a transmission initiator of the content has sent the content to the first destination identifier according to the first delivery method and the first destination identifier identifies a destination according to the first delivery method; and
store the first content at the content delivery system;
implementing a forwarder to:
determine a second destination identifier and a second delivery method associated with the first destination identifier;
determine second content from the first content; and
deliver the second content to the second destination identifier according to the second delivery method by providing a location from which the content may be accessed and sending the location to the second destination identifier, wherein the content delivery system is independent of the first destination identifier and the second destination identifier, and the determining and delivering are done independently of the transmission initiator; and
implementing a remote content access module to:
allow a user to access the content at the location.

US Pat. No. 10,397,154

SECURE ELECTRONIC MESSAGE CONVEYANCE

INTERNATIONAL BUSINESS MA...

1. A computer-implemented method performed within a moderating system, comprising:receiving an electronic message originally generated by a first user and including a message header and a message body;
identifying an approval condition associated with an addressee of the electronic message or the message body of the message;
selecting, based upon the approval condition being present in the electronic message, an approval entity from a plurality of approval entities;
receiving, from the selected approval entity, an indication that the electronic message is approved to be forwarded to a second user; and
forwarding, based upon the indication, the electronic message to the second user.

US Pat. No. 10,397,153

ELECTRONIC DEVICE AND METHOD FOR CONTROLLING RECEPTION OF DATA IN ELECTRONIC DEVICE

Samsung Electronics Co., ...

1. A method of an electronic device, the method comprising:displaying a screen including first information which indicates a reception of at least one message;
identifying a user input on second information indicating a reception of a specific message from among the first information;
controlling the second information not to be displayed in the screen, if the identified user input includes a predetermined gesture;
determining an application corresponding to the specific message;
identifying blocking configuration information corresponding to the predetermined gesture, wherein the blocking configuration information includes, based on a gesture included in the user input, information indicating whether to receive at least one message transmitted from the application or whether to display third information indicating a reception of the at least one message transmitted from the application; and
controlling the reception of the at least one message transmitted from the application and controlling a displaying of the third information in the screen based at least in part on the identified blocking configuration information.

US Pat. No. 10,397,152

METHOD AND SYSTEM FOR PREDICTING FUTURE EMAIL

EXCALIBUR IP, LLC, New Y...

1. A method comprising:scanning, by a processor, a plurality of email messages from a plurality of email message inboxes;
identifying, by the processor, patterns based upon an analysis of scanned email messages, wherein a pattern identifies a temporal and causal connection between at least two email messages;
receiving, by the processor, a message sent to a user operating a client device;
determining, by the processor, likely content of a future email message that should be received in an inbox of the client device based on the received email message and based on the patterns, wherein the future email message comprises an email message not yet received and expected to be received by the client device from a third-party email account within a predetermined amount of time from a time associated with the email message based on the patterns; and
transmitting, by the processor, an item of information based on the determined likely content of the future email message, the item of information transmitted to user separate from and prior to actual receipt of the future email message.

US Pat. No. 10,397,151

COORDINATION OF DATA RECEIVED FROM ONE OR MORE SOURCES OVER ONE OR MORE CHANNELS INTO A SINGLE CONTEXT

III HOLDINGS 2, LLC, Wil...

1. A method at a user device comprising:receiving, by the user device, an audio request for information via a multimodal application of the user device, the audio request comprising partial data, the partial data being a fragment of complete data for a computing device to provide complete information corresponding to the audio request;
transmitting, by the user device, the partial data to a remote computer system, the remote computer system comprising a coordination management computer system;
receiving, by the user device from the remote computer system, a request for associated data that is associated with the partial data, wherein the associated data is to be complied with the partial data to provide the complete information corresponding to the audio request;
responsive to the received request for the associated data, transmitting, by the user device, the associated data to the remote computer system;
receiving, by the user device, the complete information corresponding to the audio request, the complete information comprising the associated data combined with the partial data; and
presenting, by the user device, the complete information corresponding to the audio request via at least one interface component of the user device.

US Pat. No. 10,397,150

METHODS AND COMPUTER PROGRAM PRODUCTS FOR PROCESSING A SEARCH QUERY

Gummarus, LLC, Longview,...

1. A computer-implemented method, comprising:creating at least a portion of a network application that is configured to be installed on an apparatus and cooperate with a relay that, in turn, is configured to cooperate with a device with an instant messaging application installed thereon, the network application, when executed, configured to cause the apparatus to:
send, to the relay, a first message configured to cause a second message to be sent from the relay to the device for display of at least a portion thereof utilizing the instant messaging application installed on the device,
after sending the first message, receive, from the relay, a third message including first user input,
in response to the receipt of the third message including the first user input, automatically identify at least one first image based on the first user input,
in response to the automatic identification of the at least one first image based on the first user input, send, to the relay, a fourth message configured to cause a fifth message to be sent from the relay to the device for display of the at least one first image utilizing the instant messaging application installed on the device,
after sending the fourth message, receive, from the relay, a sixth message including second user input,
in response to the receipt of the sixth message including the second user input, automatically identify additional content based on the second user input, and
in response to the automatic identification of the additional content based on the second user input, send, to the relay, a seventh message configured to cause an eighth message to be sent from the relay to the device for display of the additional content utilizing the instant messaging application installed on the device; and
causing storage of the at least portion of the network application.

US Pat. No. 10,397,149

METHOD, SYSTEM AND TERMINAL FOR DELETING A SENT MESSAGE IN INSTANT MESSAGE COMMUNICATION

TENCENT TECHNOLOGY (SHENZ...

1. A method of deleting a sent instant message in messaging communication performed by a server, comprising:receiving from a first communication terminal, a delete request to delete a sent instant message which has been transmitted from the first communication terminal for forwarding to a second communication terminal, wherein the delete request comprises an identification which identifies the sent instant message to be deleted;
determining, whether the sent instant message to be deleted has already been successfully forwarded to the second communication terminal:
if it is determined that the sent instant message to be deleted has already been successfully forwarded to the second communication terminal, forwarding the delete request to the second communication terminal to facilitate deletion of the sent instant message by the second communication terminal and transmitting a first notification message to the second communication terminal to display that the sent instant message has been successfully deleted,
wherein the determination of the sent instant message to be deleted has already been successfully forwarded to the second communication terminal, comprises:
dividing a storage of the server into a first storage area for storing un-forwarded instant messages and a second storage area for storing already forwarded instant messages;
if it is determined that the sent instant message to be deleted has still not been successfully forwarded to the second communication terminal, cancelling further operation on forwarding the sent instant message to be deleted to the second communication terminal,
wherein after the cancelling of the transmission of the sent instant message to the second communication terminal, transmitting the first notification message to the second communication terminal to display that the sent instant message has been successfully deleted, such that the display of the first notification message replaces the display of the deleted sent instant message.

US Pat. No. 10,397,148

SYSTEM FOR PROCESSING ELECTRONIC MESSAGES

1. A system (10) for processing electronic messages comprising:a first communication interface module (12) in electronic communication arrangement with a first external server (13) to form a first communication channel via the internet, the first external server (13) configured to transmit a first type of electronic messages to the first communication interface module (12), an electronic message conversion module (11) in operative electronic communication arrangement with the first communication interface module (12), the first communication interface module (12) configured to electronically transmit and receive ft the first type of electronic messages which may have attributes of a first attribute set;
a second communication interface module (14) in electronic communication arrangement with a second external server (15) to form a second communication channel via the internet, the second external server (15) configured to transmit a second type of electronic messages to the second communication interface module (14) and the electronic message conversion module (11), the second communication interface module (14) configured to electronically transmit and receive the second type of electronic messages which may have attributes of a second attribute set;
an electronic message processing module (16, 19) in electronic communication arrangement with the electronic message conversion module (11), the electronic message processing module (16) configured to process for a user (17, 20) electronic messages of a standard message type and, in doing so, configured to allocate attributes of a standard attribute set to the processed electronic messages;
the electronic message conversion module (11) configured to facilitate the conversion of electronic messages between the standard messages type and the first and second messages type and vice versa; wherein,
a first allocation table (21) between the standard attribute set and the first attribute set is electronically stored in the first communication interface module (12);
a second allocation table between the standard attribute set and the second attribute set is electronically stored in the communication second interface module (14) and;
the first communication interface module (12) is configured to convert attributes between the first attribute set and the standard attribute set on the basis of the first allocation table;
the second communication interface module (14) is configured to convert attributes between the second attribute set and the standard attribute set on the basis of the second allocation table; and,
the electronic message conversion module (11) is configured so that login information which is required by the first communication interface module (12) or the second communication interface module (14) for transmitting and receiving electronic messages can be passed on.

US Pat. No. 10,397,147

METHOD, APPARATUS AND DEVICE FOR EXCHANGING NAME CARD

Tencent Technology (Shenz...

1. A method for exchanging a name card applied to a terminal, comprising:binding, by a contact client running on the terminal, the contact client with a first Instant Messaging (IM) client running on the terminal through an associated account to implement information sharing between the contact client and the first IM client, the contact client comprising a contact and the associated account being a number of the terminal, the contact client being a first type of client operated in the terminal and the IM client being a second type of client operated in the terminal;
receiving, by the contact client running on the terminal, a selecting signal for selecting at least one name card in the contact;
sending, by the contact client running on the terminal, the selected at least one name card to the first IM client bound with the contact client via Software Development Kit (SDK) provided by the first IM client, the first IM client comprising a first user account, and the first user account having a friendship link; and
sharing, by the first IM client running on the terminal, the selected at least one name card through the first user account with at least one second IM client in the friendship link, wherein the second IM client does not directly interact with the contact client;
wherein the sending the selected at least one name card to the first IM client bound with the contact client comprises:
detecting whether the first IM client bound with the contact client is in an on-line state;
selecting a sharing manner according to whether the first IM client is in the on-line state, wherein the sharing manner comprises sharing by the first IM client and sharing by a short message;
when detecting that the first IM client is in the on-line state, sending the selected at least one name card to the first IM client for sharing;
wherein the method further comprises:
obtaining a second user account of the second IM client in the friendship link through the first user account;
receiving a name card of the second user account;
adding the received name card to the contact of the contact client;
sharing with the first IM client bound with the contact client through the associated account the contact which corresponds to the associated account and is synchronized in a contact server;
receiving and restoring a name card in the contact sent by the first IM client;
wherein the name card in the contact is sent to the contact client after the first IM client receives a restoring signal for obtaining a name card in the contact corresponding to the associated account, sends a name card acquiring request to the contact server, and receives the name card in the contact returned by the contact server; and wherein the name card acquiring request is configured to indicate the contact server to return the name card in the contact corresponding to the associated account.

US Pat. No. 10,397,145

SYSTEMS AND METHODS FOR AUTOMATICALLY PROVIDING ALERTS OF WEB SITE CONTENT UPDATES

1. A system, comprising:a memory that stores instructions; and
a process that executes the instructions to perform operations, the operations comprising:
transmitting a first message containing a copy of first selected content of web site content to a plurality of visitors of a web site, wherein the plurality of visitors comprise computers;
specifying an option in an update profile of a visitor of the plurality of visitors for ignoring a lack of response to the first message;
ignoring, from the visitor of the plurality of visitors, the lack of response to the first message, wherein the lack of response to the first message is ignored based on the option specified in the update profile of the visitor;
transmitting a second message to the visitor in accordance with the update profile, wherein the second message is associated with updating second selected content of the web site content;
updating the web site content based on a revised copy of the second selected content that is received in response to the second message;
receiving requests from visitors of the plurality of visitors to be notified of an update of the website content;
generating an instant message including an alert message indicating the update of the web site content;
transmitting, after updating the web site content, the instant message including the alert message to each of the plurality of visitors that have requested to be notified of the update of the web site content, wherein the alert message indicates that the update has been performed; and
updating, upon receipt of the revised copy of the second selected content, an update log based on changes to the revised copy of the second selected content and to indicate changes in an automatic update sequence number field of the update log, wherein the update log is contained within a web page of the web site updated based on the revised copy of the second selected content.

US Pat. No. 10,397,144

RECEIVE BUFFER ARCHITECTURE METHOD AND APPARATUS

Intel Corporation, Santa...

1. An apparatus comprising:a communication chip comprising a receive buffer that stores a first data packet associated with a first context, among a plurality of contexts, and a second data packet associated with a second context, among the plurality of contexts, wherein the first and second contexts identify respective first and second processes to be performed by a compute node in association with the respective first and second data packets, and the first and second data packets are stored in the receive buffer to be delivered to the compute node for operation of the first and second processes,
wherein the receive buffer includes logic that is to determine that the compute node is unavailable to perform the first process with respect to the first data packet, determine that the compute node is available to perform the second process with respect to the second data packet, and read the second data packet for delivery to the compute node while the first data packet is retained.

US Pat. No. 10,397,143

PREVENTING TRANSMISSION OF ERRORS IN A COMPUTING NETWORK

Amazon Technologies, Inc....

1. A method, implemented by a network device, for preventing transmission of cyclic redundancy check (CRC) errors, the method comprising:maintaining counts of CRC errors for network packets processed by network ports of the network device, wherein the network device supports cut-through forwarding, and wherein cut-through forwarding is enabled on the network ports;
upon detecting a CRC error condition indicated by CRC errors of the network packets increasing above an error threshold:
if the network device supports tracking outbound CRC errors for transmitted network packets:
detecting the CRC error condition for a particular network port of the network device; and
disabling cut-through forwarding on the particular network port so that the particular network port uses store-and-forward processing when processing network packets, wherein disabling cut-through forwarding on the particular network port does not affect whether the other network ports of the network device use cut-through forwarding; and
while cut-through forwarding is disabled on the particular network port, processing network packets via the particular network port using store-and-forward processing; and
otherwise, if the network device does not support tracking outbound CRC errors for transmitted network packets:
detecting the CRC error condition;
disabling cut-through forwarding for all network ports of the network device; and
while cut-through forwarding is disabled on all of the network ports, processing network packets via all of the network ports using store-and-forward network packet processing.

US Pat. No. 10,397,142

MULTI-CHIP STRUCTURE HAVING FLEXIBLE INPUT/OUTPUT CHIPS

MediaTek Inc., Hsin-Chu ...

1. A multi-chip structure, comprising:a switch system on chip (switch SOC) comprising a core circuit, a first multiplexer, and a first de-multiplexer;
a plurality of serializer/deserializer (SerDes) chips, positioned around the switch SOC, wherein at least two of the plurality of SerDes chips are manufactured by different semiconductor processes, and wherein the core circuit is manufactured by a different semiconductor process than that of at least one of the plurality of SerDes chips; and
a plurality of inter-chip interfaces, for connecting the switch SOC to the plurality of SerDes chips, respectively,
wherein a first SerDes chip of the plurality of SerDes chips comprises:
a second de-multiplexer, directly connected to the first de-multiplexer via a first inter-chip interface of the plurality of inter-chip interfaces, configured to convert first serial data to first parallel data and send the first parallel data to the switch SOC; and
a second multiplexer, directly connected to the first multiplexer via a second inter-chip interface of the plurality of inter-chip interfaces, configured to convert second parallel data from the switch SOC to second serial data and sending the second serial data to another chip.

US Pat. No. 10,397,141

ACCESS PORT FOR ONE OR MORE VLANS

Cisco Technology, Inc., ...

1. A network device comprising a memory, a processor, and a plurality of ports, the network device adapted to receive at least one configuring instruction, and adapted, after receipt of any of the at least one configuring instruction, to configure one or more access ports, of the plurality of ports, for endpoint virtual local area network (VLAN) assignment that is in accordance with at least one VLAN assignment algorithm based, at least in part, on available Internet Protocol (IP) addresses for each of a respective subnet of a plurality of subnets associated with each of a respective VLAN of a plurality of VLANs in a network, wherein the at least one VLAN assignment algorithm allows at least two endpoints to be assigned to at least two different respective VLANs of the plurality of VLANs in the network, the at least one VLAN assignment algorithm enabling the at least two endpoints to connect to a same access port of the one or more access ports and provide data which is not VLAN tagged when received at the same access port.

US Pat. No. 10,397,140

MULTI-PROCESSOR COMPUTING SYSTEMS

Hewlett-Packard Developme...

1. A multi-processor computing system comprising:a second processing device to generate outgoing data packets and comprising:
a second network stack to save the outgoing data packets in a second outgoing packet buffer of the second processing device; and
a second network driver to save an outgoing buffer pointer in a second transmission ring of the second processing device, the outgoing buffer pointer corresponding to the second outgoing packet buffer;
a first processing device communicatively coupled to the second processing device, the first processing device comprising a first network driver to move the outgoing buffer pointer from the second transmission ring to a send ring in the first processing device; and
a network interface controller (NIC) communicatively coupled to the first processing device to:
obtain the outgoing buffer pointer from the send ring;
copy, using the outgoing buffer pointer, the outgoing data packets from the second outgoing packet buffer to a transmission queue of the NIC; and
transmit the outgoing data packets to another computing system over a communication network.

US Pat. No. 10,397,139

STORAGE DEVICE IN WHICH FORWARDING-FUNCTION-EQUIPPED MEMORY NODES ARE MUTUALLY CONNECTED AND DATA PROCESSING METHOD

TOSHIBA MEMORY CORPORATIO...

1. A method of controlling a plurality of memory nodes, each of the memory nodes including a plurality of input ports, a plurality of output ports, and a memory in which data is stored, each of the memory nodes being configured to output a packet input to the input port to one of the output ports, the memory nodes being mutually connected at the input ports and the output ports and have addresses, the method comprising;determining a straight line connecting a memory node of a destination address and a memory node of a source address, the destination address indicating an address of a memory node of a target for the packet to be forwarded; and
forwarding a packet to a memory node adjacent to the memory node of a current position address such that the packet proceeds based on the straight line, wherein
while the packet is forwarded from the memory node of the source address to the memory node of the destination address, a trajectory of the packet forwarded from the memory node of the source address to the memory node of the destination address is along the straight line, and the packet proceeds across the straight line at least once.

US Pat. No. 10,397,138

METHOD FOR PROCESSING INFORMATION, FORWARDING PLANE DEVICE AND CONTROL PLANE DEVICE

Huawei Technologies Co., ...

1. A method, comprising:receiving, by a gateway forwarding plane device, a data packet, and extracting the data packet's characteristic information;
buffering the data packet in the gateway forwarding plane device when there is no context information corresponding to the data packet's characteristic information already stored in the gateway forwarding plane device, until receiving the context information returned from a gateway control plane device, wherein the gateway control plane device and the gateway forwarding plane device are both separate and different devices;
before receiving the context information returned from the gateway control plane device, sending, by the gateway forwarding plane device, the data packet's characteristic information to the gateway control plane device, wherein the data packet's characteristic information is used for the gateway control plane device to acquire the context information corresponding to the characteristic information of the data packet;
acquiring, by the gateway control plane device, the context information according to the data packet's characteristic information, and sending, by the gateway control plane device, the context information to the gateway forwarding plane device; and
forwarding by the gateway forwarding plane device, the data packet according to the received context information.

US Pat. No. 10,397,137

DISTRIBUTED FPGA SOLUTION FOR HIGH-PERFORMANCE COMPUTING IN THE CLOUD

LDA TECHNOLOGIES LTD., M...

1. A method for executing a plurality of data processing functions, the method comprising:providing a plurality of data cards, each data card in the plurality of data cards comprising
a printed circuit board,
a plurality of host interface connectors connectable with an internal data bus of a host computer system to transfer data card signals compliant with a first signaling standard between the data card and the host computer system, and
a plurality of data card connectors connectable with at least one external device to communicate with the at least one external device using external data card signals compliant with a signaling standard different from the first signaling standard,
for each data card in the plurality of data cards, converting the data card to convert the data card signals transmitted from the plurality of host interface connectors from being compliant with the first signaling standard to be new data card signals compliant with a second signaling standard different from the first signaling standard;
providing a plurality of electrical connections between the plurality of data cards by, for each data card in the plurality of data cards, connecting at least one host interface connector in the plurality of host interface connectors for that data card to at least one host interface connector of another data card in the plurality of data cards;
providing incoming data to at least one data card in the plurality of data cards;
routing derived data signals, the derived data signals being derived from the incoming data and compliant with the second signaling standard, through the plurality of data cards via the plurality of electrical connections and, for each data card in the plurality of data cards, at least one host interface connector in the plurality of host interface connectors for that data card; and
performing the plurality of data processing functions within the plurality of data cards based on the derived data signals.

US Pat. No. 10,397,136

MANAGED FORWARDING ELEMENT EXECUTING IN SEPARATE NAMESPACE OF PUBLIC CLOUD DATA COMPUTE NODE THAN WORKLOAD APPLICATION

NICIRA, INC., Palo Alto,...

1. For a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, a method comprising:identifying a virtual machine, that operates on a host machine in the datacenter, to attach to the logical network, the virtual machine having a network interface with a network address provided by a management system of the datacenter, wherein a workload application executes in a first namespace of the virtual machine; and
distributing configuration data for configuring a managed forwarding element executing in a second namespace of the virtual machine (i) to receive data packets sent from the workload application via an interface pairing between the first and second namespaces and (ii) to perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have the provided network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the same provided network address as a source address for the encapsulation when sent from the virtual machine.

US Pat. No. 10,397,135

ROUTER FABRIC

GVBB HOLDINGS S.A.R.L., ...

1. A media signal routing system for routing and distributing media content, the media signal routing system comprising:a synchronized media router configured to route a plurality of packetized media signals to at least one output of the media signal routing system, the plurality of packetized media signals including at least one IP packetized video signal; and
a media routing controller configured to control the synchronized media router to synchronously route data packets of the at least one IP packetized video signal in accordance with a system clock, such that the synchronized media router is configured to switch without at least one glitch between outputting the at least one IP packetized video signal and another media signal of the packetized media signals to the at least one output for media content distribution.

US Pat. No. 10,397,134

BANDWIDTH SHARING

International Business Ma...

1. A method for bandwidth sharing to enable communication between users over the Internet, said method comprising:receiving, by an Internet Service Provider (ISP) from a first user after the first user received a second key from a second user: the second key and a directive to transfer bandwidth from the first user to the second user for a finite time duration N,
wherein the bandwidth to be transferred comprises W upload bandwidth,
wherein the ISP previously provided a first key to the first user in conjunction with a first plan in which the first user purchased from the ISP an upload bandwidth of U1 for transmitting data via the Internet and a download bandwidth of D1 for receiving data via the Internet,
wherein the first key is configured to identify the first user, wherein the ISP previously provided the second key to the second user in conjunction with a second plan in which the second user purchased from the ISP an upload bandwidth of U2 for transmitting data via the Internet and a download bandwidth of D2 for receiving data via the Internet,
wherein the second key is configured to identify the second user, and
wherein U1, D1, U2 and D2 differ from one another;
responsive to said receiving the second key from the first user, changing bandwidth, by the ISP for the time duration N, wherein said changing bandwidth comprises changing the second user's upload bandwidth to U2+W and changing the first user's upload bandwidth to U1?W, wherein W is an additional upload bandwidth, and wherein communication between the second user and the first user requires a permitted upload bandwidth greater than U2 and less than U2+W, and
responsive to receiving, by the ISP from the second user within the time duration N, a directive to establish a communication between the second user and the first user to transfer specified data, transferring, by the ISP during the time duration N in accordance with the permitted upload bandwidth, the specified data from the second user to the first user.

US Pat. No. 10,397,133

STATION-SIDE APPARATUS IN OPTICAL TRANSMISSION SYSTEM AND OPTICAL TRANSMISSION SYSTEM

NIPPON TELEGRAPH AND TELE...

1. A station-side apparatus in an optical transmission system, comprising:a plurality of optical transceivers each configured to convert, into electrical signals, upstream frames including upstream control frames sent as optical signals from a plurality of subscriber-side apparatuses connected via an optical transmission channel;
a plurality of frame reproduction circuits each configured to reproduce the upstream frames converted into the electrical signals by the plurality of optical transceivers;
a plurality of control frame processing circuits each configured to perform predetermined processes for the upstream control frames included in the upstream frames reproduced by the plurality of frame reproduction circuits, wherein the predetermined processes comprise establishing and managing a link with each of the plurality of subscriber-side apparatuses, and Dynamic Bandwidth Allocation processing for controlling the transmission timings of the upstream frames;
a first upstream allocation circuit configured to allocate each of the upstream control frames included in the upstream frames from the plurality of subscriber-side apparatuses to a predetermined one of the plurality of control frame processing circuits based on information added to the frames, wherein the information added to the frames comprises an identifier for identifying each of the plurality of subscriber-side apparatuses; and
a first downstream allocation circuit configured to allocate, to a predetermined one of the plurality of frame reproduction circuits, each of downstream control frames output from the control frame processing circuits to which the upstream control frames have been allocated.

US Pat. No. 10,397,132

SYSTEM AND METHOD FOR GRANTING VIRTUALIZED NETWORK FUNCTION LIFE CYCLE MANAGEMENT

FutureWei Technologies, I...

1. A virtualized network function (VNF) life cycle management (LCM) method comprising:sending, by a virtualized network function manager (VNFM), a grant request for a VNF LCM operation to a network functions virtualization orchestrator (NFVO), wherein the grant request comprises a wide area network (WAN) connectivity requirement for connecting multiple sites that virtualized network function components (VNFCs) of the virtualized network function (VNF) instance are placed in, and the VNF to be operated comprises at least two VNFCs placed in different sites;
receiving, by the VNFM, a grant response from the network functions virtualization orchestrator (NFVO), wherein the grant response comprises WAN infrastructure manager (WIM) identifier and a granted WAN connectivity requirement approved by the NFVO, wherein, the granted WAN connectivity requirement describes a granted requirement for managing a WAN connectivity connecting the multiple sites across a WAN; and
sending, by the VNFM, a resource allocation request to the WIM according to the WIM identifier, wherein the resource allocation request comprises requested WAN network resource information derived from the granted WAN connectivity requirement.

US Pat. No. 10,397,131

METHOD AND SYSTEM FOR DETERMINING BANDWIDTH DEMAND

VMware, Inc., Palo Alto,...

1. A method for managing bandwidth allocated to a virtual machine running on a host computer, the method comprising:obtaining current bandwidth for a virtual machine on a host computer over a TCP communication channel;
determining a growth margin based on a growth phase of the TCP communication channel;
wherein while the current bandwidth initially increases exponentially in an exponential growth phase of a TCP slow-start, reducing the size of the growth margin exponentially; and
wherein subsequent to the exponential bandwidth increase and while the current bandwidth increases linearly in a linear growth phase of the TCP slow-start, reducing the size of the growth margin linearly;
determining bandwidth demand of the TCP communication channel for the virtual machine as a function of the current bandwidth of the TCP communication channel and the growth margin; and
increasing a bandwidth cap for the virtual machine based on the determined bandwidth demand such that the bandwidth cap is increased proportionally less at each adjustment increment because, as the current bandwidth increases, the bandwidth demand is calculated using a proportionally smaller sized growth margin;
wherein the bandwidth cap limits a transmission rate for the virtual machine.

US Pat. No. 10,397,130

MULTI-CLOUD RESOURCE RESERVATIONS

VMWARE, INC., Palo Alto,...

1. A method for reserving resources in a multi-cloud environment, the method comprising:receiving, by a reservation broker executing in the multi-cloud environment, a first registration request from a first cloud broker associated with a first cloud selected from a plurality of clouds, wherein
the first cloud broker generates the first registration request based on a second registration request, which is received by the first cloud broker from a second cloud broker associated with a second cloud selected from the plurality of clouds,
the second registration request is to register a first cloud resource in the second cloud with the first cloud broker, and
the first registration request is to register the first cloud resource with the reservation broker on behalf of the second cloud broker;
receiving, by the reservation broker, a first client request to reserve the first cloud resource in the plurality of clouds, wherein the first client request includes a first reservation type associated with first cloud resource, and the plurality of clouds correspond to a plurality of cloud brokers including the first cloud broker and the second cloud broker;
selecting, by the reservation broker, the first cloud broker from the plurality of cloud brokers based on the first reservation type associated with the first cloud resource; and
transmitting, by the reservation broker, a first reservation request to the first cloud broker, wherein the first cloud broker is configured to reserve the first cloud resource in the second cloud based on the first reservation request.

US Pat. No. 10,397,129

METHOD AND SYSTEM FOR PROVISIONING COMPUTING RESOURCES

Accenture Global Services...

1. A system comprising:communications interface circuitry configured to:
receive a user query for usage data for a computing resource; and
send an instruction to present a display, via a graphic user interface, of the usage data;
memory configured to store:
a first record of a first event associated with a selected usage of the computing resource; and
a second record of a second event associated with a previous usage of the computing resource, the previous usage occurring before the selected usage on an event timeline for the computing resource; and
event processing circuitry in data communication with the communication interface circuitry and the memory, the event processing circuitry configured to:
access the first record and the second record within the memory;
responsive to the selected usage and the previous usage, determine a change in usage;
compare the selected usage to a usage threshold;
when the selected usage exceeds the usage threshold, generate a notification; and
generate usage data comprising a representation of the selected usage, a representation of the previous usage, the representation of the change in usage, and the notification.

US Pat. No. 10,397,128

ROUTING HANDLER FOR RULE-BASED ACTION TRIGGERING

Amazon Technologies, Inc....

1. A system, comprising:a plurality of computing devices configured to implement a plurality of sub-services and a routing handler, and wherein the routing handler is configured to:
receive, from a client, a request that specifies a particular operation at one or more of the plurality of sub-services, wherein the plurality of sub-services comprise a rules sub-service and an actions sub-service, wherein the rules sub-service comprises one or more operations for defining a plurality of rules using a plurality of triggers and a plurality of actions, wherein individual ones of the rules are defined to bind a respective one or more of the triggers to a respective one or more of the actions, and wherein the actions sub-service comprises one or more operations for performing the actions in a provider network comprising a plurality of resources;
determine the particular operation in the request;
select the one or more sub-services from the plurality of sub services based at least in part on the particular operation in the request, wherein the one or more sub-services includes the rules sub-service and is selected via a lookup in a routing map, wherein the routing map maps individual operations to respective ones of the plurality of sub-services that provide the individual operations and is dynamically loaded from a data store to the routing handler;
route the request to the one or more sub-services including the rules sub-service;
receive one or more responses to the request from the one or more sub-services, including one or more messages from the rules sub-service that describe one or more of the actions specified in one or more of the rules that are triggered by the particular operation;
send one or more additional requests to one or more additional sub-services of the plurality of sub-services including the actions sub-service to perform the one or more actions, wherein the one or more additional sub-services are selected via the routing map; and
return a client response to the client based at least in part on the one or more responses.

US Pat. No. 10,397,127

PRIORITIZED DE-QUEUEING

Cisco Technology, Inc., ...

1. A method, comprising:allocating a first queue;
allocating at least two default queues, wherein the at least two default queues depend from the first queue;
allocating a plurality of local queues that each depend from one of the at least two defaults queues;
receiving data in a data stream;
determining a quality of service (QoS) associated with the data; and
assigning at least a portion of the data to one of the plurality of local queues based on the determined QoS, wherein a specific local queue from the plurality of local queues has a precedence over other local queues that provides that data in the specific local queue is fully dequeued before data in the other local queues is fully dequeued.

US Pat. No. 10,397,126

VXLAN PACKET TRANSMISSION

Hewlett Packard Enterpris...

1. A method for transmitting a Virtual Extensible Local Area Network (VXLAN) packet, includes:receiving, by a Software Defined Network (SDN) controller, a data packet uploaded from a source VXLAN tunnel end point (VTEP), wherein the data packet is to be transmitted from a source node to a destination node;
acquiring, by the SDN controller, a path maximum transmission unit (PMTU) of a VXLAN tunnel from the source VTEP to a destination VTEP of the data packet, wherein acquiring the PMTU of the VXLAN tunnel includes:
distributing, by the SDN controller, a control packet uploading flow entry to the source VTEP, so as to instruct the source VTEP to
upload a received Internet Control Message Protocol (ICMP) error control packet to the SDN controller;
distributing, by the SDN controller, a PMTU detection flow entry to the source VTEP and starting a timer, so as to instruct the source VTEP to
transmit to the destination VTEP a fragmentation-inhibited detection packet with a MTU of a designated length;
redistributing, by the SDN controller, a PMTU detection flow entry to the source VTEP and resetting the timer when an ICMP error control packet indicating that the fragmentation-inhibited detection packet cannot reach the destination VTEP is received from the source VTEP before the timer expires, so as to instruct the source VTEP to
transmit to the destination VTEP a new fragmentation-inhibited detection packet having a MTU which is the same as the MTU carried in the received ICMP error control packet; and
determining, by the SDN controller, the PMTU of the VXLAN tunnel according to
the MTU carried in the last one of the ICMP error control packets uploaded from the source VTEP if one or more ICMP error control packets are received before the timer expires, or
the designated length of the MTU in the fragmentation-inhibited detection packet transmitted from the source VTEP if no ICMP error control packet is received before the timer expires; and
transmitting, by the SDN controller, a control entry to the source VTEP, so as to instruct the source VTEP to
encapsulate the data packet into a VXLAN packet of a length less than a packet length corresponding to the PMTU, and
transmit the VXLAN packet to the destination VTEP through the VXLAN tunnel.

US Pat. No. 10,397,125

METHOD OF CROSS-REGIONAL DATA TRANSMISSION AND SYSTEM THEREOF

Alibaba Group Holding Lim...

1. A method comprising:acquiring metadata information sent by a client device, the metadata information including first data replication progress information of the client device;
sending the metadata information to a first metadata transmission node device;
acquiring to-be-forwarded data information sent by the first metadata transmission node device; and
pushing the to-be-forwarded data information to the client device, the to-be-forwarded data information including second data replication progress information of another client device.

US Pat. No. 10,397,124

SYSTEM AND METHOD TO PREVENT PERSISTENT FULL SWITCH QUEUES IN SOFTWARE DEFINED NETWORKS

Argela Yazilim ve Bilisim...

1. A method as implemented in a software defined network (SDN) controller in a SDN, where a packet flow traverses at least a first switch and a second switch that are part of the SDN, the first and second switches communicating with the controller via a first and second control connection, respectively, the method comprising the steps of:a) collecting, via the first control connection, a first data indicative of a congestion at the first switch, and collecting, via the second control connection, a second data indicative of a congestion at the second switch;
b) determining, from collected first and second data, a presence of queue fullness in the second switch;
c) determining when and how much TCP flow control to apply to the packet flow at the first switch based on the determining in (b), the SDN controller, not a receiver host, determining when to apply TCP flow control, the TCP flow control achieved by any of, or a combination of the following: delaying ACK packets of the packet flow or decreasing a receiver window size, rwnd, within a header of ACK packets of the packet flow;
d) sending a forwarding rule to the first switch to intercept ACK packets of the packet flow, wherein the first switch installs the forwarding rule and applies the forwarding rule to matching ACK packets;
e) observing the previously determined queue fullness in the second switch and, upon observing, increasing or reducing the rate of said TCP flow control, until the congestion is completely removed; and
f) observing absence of the previously determined queue fullness in the second switch and, upon observing such absence, removing the forwarding rule from the first switch.

US Pat. No. 10,397,123

METHOD AND SYSTEM FOR MANAGING SERVICE QUALITY ACCORDING TO NETWORK STATUS PREDICTIONS

1. A method comprising:obtaining, by a system including a network server, first performance data of an end user device and second performance data associated with a cell of a wireless network, wherein the first performance data includes a mobility pattern of the end user device, and wherein the second performance data is obtained from an eNodeB associated with the cell;
determining, by the system, a predicted available bandwidth for the end user device according to the first performance data and the second performance data;
providing, by the system, access to the predicted available bandwidth to cause a video bit rate to be determined for a portion of media content according to the predicted available bandwidth for the end user device and according to a buffer occupancy of the end user device; and
facilitating, by the system over the wireless network, streaming of the portion of the media content to the end user device according to the video bit rate.

US Pat. No. 10,397,122

TECHNIQUES FOR STORAGE CONTROLLER QUALITY OF SERVICE MANAGEMENT

International Business Ma...

1. A network controller, comprising:monitor logic configured to monitor a data transfer rate and a data transfer threshold for data transferred between storage and an application that is executing on a data processing system, wherein an initial value of the data transfer threshold is set without consideration of a current actual demand of the application and the data transfer threshold corresponds to a quality of service guarantee, and wherein the data transfer threshold corresponds to a data transfer threshold in a network switch;
collector logic configured to collect feedback on the suitability of the data transfer rate from the application; and
threshold adjuster logic configured to change the data transfer threshold for the application based on the monitored data transfer rate and the collected feedback to achieve a quality of service requirement for the application that reflects the current actual demand of the application, wherein the data transfer threshold is lowered in response to the current actual demand of the application being lower than the initial value and is increased when spare capacity is available in response to the current actual demand of the application being higher than the initial value, and wherein the feedback includes an application programming interface (API) message for indicating that a required performance level has been reached.

US Pat. No. 10,397,120

SERVICE LINK SELECTION CONTROL METHOD AND DEVICE

Huawei Technologies Co., ...

1. A flow classifier, comprising:one or more processors; and
a memory storing program instructions that, when executed by the one or more processors, configure the flow classifier to:
receive a service chain selection control policy from a policy and charging rules function (PCRF) unit, wherein the service chain selection control policy comprises a corresponding relation between an application type and an identifier of a service chain, wherein the service chain selection control policy is associated with policy contextual information and a service chain selection policy, wherein the service chain selection policy is from a cooperation device and comprises a corresponding relation among the policy contextual information, the application type, and the identifier of the service chain, wherein the service chain is a path comprising one or more forwarding devices and a value-added service device, a service flow with the application type needs to pass through the one or more forwarding devices and the value-added service device, and the service flow is from a user matching the policy contextual information; and
determine the service flow with the application type based on the service chain selection control policy.

US Pat. No. 10,397,119

HANDLING VOICE AND NON-VOICE DATA UNDER UPLINK LIMITED CONDITIONS

Apple Inc., Cupertino, C...

1. A wireless user equipment device (UE), comprising:a radio; and
a processing element operably coupled to the radio;
wherein the radio and the processing element are configured to:
establish a wireless communication link with a base station according to a radio access technology (RAT);
establish a voice call via the wireless communication link;
determine a first type of data to prioritize over a second type of data for uplink transmission via the wireless communication link;
determine that radio link control (RLC) segmentation of voice packets exceeds an RLC segmentation threshold; and
defer, in response to the determination that RLC segmentation of voice packets exceeds the RLC segmentation threshold, uplink transmission of the second type of data during uplink talkspurts of the voice call.

US Pat. No. 10,397,117

SYSTEM AND METHOD FOR PACKET DISTRIBUTION ON A NETWORK

Sandvine Corporation, Va...

1. A method for packet distribution across a set of network function instances associated with a packet and a plurality of links within at least one link aggregation group (LAG) on a network comprising:receiving the packet from a traffic flow;
determining at least one network function associated with the packet;
determining at least one LAG associated with the packet;
determining a variance associated with a plurality of links within the at least one LAG;
determining whether the variance is above a pre-determined threshold;
wherein, if the variance is above the threshold, determining a path for the packet based on capacity associated with each of the plurality of links;
otherwise determining the path based on capacity of each of a plurality of network function instances associated with the at least one network function, wherein determining the path based on capacity of each of the plurality of network function instances comprises:
determining a load for each of the plurality of network function instances;
determining whether there is a tie for a least loaded network function instance; and
if there is a tie, selecting the network function instance with a higher capacity;
otherwise selecting the network function instance with the least load.

US Pat. No. 10,397,116

ACCESS CONTROL BASED ON RANGE-MATCHING

Amazon Technologies, Inc....

1. A network device, comprising:a register memory storing indications of a range of values;
a content-addressable memory (CAM) comprising a plurality of portions, each portion comprising one or more access control entries;
memory storing actions to take on network packets;
key assembler circuitry coupled to the register memory and the CAM, the key assembler circuitry configured to:
receive data for a network packet received by the network device, the data including fields;
determine that a value of a first one of the fields is within a first numerical range;
generate a compare key including a first field corresponding to the first numerical range and a second field corresponding to a second numerical range, a first value stored in the first field indicating that the value is within the first numerical range and a second value stored in the second field indicating that the value is not within the second numerical range, the compare key having a pre-determined size; and
provide, to the CAM, the compare key to search for an access control entry in a number of portions of the plurality of portions of the CAM, the number of portions being based on the size of the compare key; and
action control circuitry coupled to the CAM and the memory storing actions, the action control circuitry configured to:
receive, from the CAM, an address of the access control entry found using the compare key;
select, using the access control entry, from the memory, one of the actions to perform on the network packet; and
perform the selected action on the network packet.

US Pat. No. 10,397,115

LONGEST PREFIX MATCHING PROVIDING PACKET PROCESSING AND/OR MEMORY EFFICIENCIES IN PROCESSING OF PACKETS

Cisco Technology, Inc., ...

1. A method, comprising:determining, by a packet switching device, a particular plurality of mask lengths of a particular conforming entry that matches a particular address of a packet via a lookup operation in a mask length data structure, with the mask length data structure including a plurality of stored conforming entries, with each of the plurality of stored conforming entries associated with a corresponding one or more mask lengths for searching an address search space, with the address search space referring to installed prefixes that can match a lookup value, with the plurality of stored conforming entries including the particular conforming entry, and with each mask length in the particular plurality of mask lengths corresponding to a searchable hash table in the address search space;
determining, by the packet switching device, an overall longest matching prefix in the address search space for the particular address, which includes:
for a particular mask length in the particular plurality of mask lengths, performing a hash table lookup operation in said corresponding searchable hash table based on a hash key to identify a particular matching hash table entry storing the hash key and additionally storing one or more indications of corresponding one or more possible matching prefixes that are longer than the particular mask length, with the hash key including the particular address masked to said particular mask length, and
responsive to said indications, matching the particular address against one of said possible matching prefixes to identify the overall longest matching prefix which is a longest matching prefix represented in the particular matching hash table entry; and
processing, by the packet switching device, the particular packet based on processing information associated with the overall longest matching prefix.

US Pat. No. 10,397,114

CLIENT COMMUNICATIONS IN MULTI-TENANT DATA CENTER NETWORKS

Hewlett Packard Enterpris...

1. A method of communication between clients in a multi-tenant data center network, the method comprising:receiving at a source tunnel end-point (TEP) a data packet of a source client for a target client;
determining whether a forwarding table of the source TEP includes a first forwarding table (FT) entry for the target client, the first FT entry indicating that a destination TEP is associated with the target client;
transmitting a first unicast packet with a status indicative of a forwarding table-match in the forwarding table of the source TEP to the destination TEP, in response to the first FT entry for the target client being present in the forwarding table of the source TEP;
updating the first FT entry to indicate a different TEP, responsive to receiving, by the source TEP from the destination TEP in response to the first unicast packet, a response message indicating that the destination TEP has a second FT entry in a forwarding table of the destination TEP, wherein the second FT entry indicates the different TEP is associated with the target client;
transmitting a second unicast packet with a status indicative of a forwarding table-miss in the forwarding table of the source TEP to a plurality of other TEPs, in response to the first FT entry for the target client not being present in the forwarding table of the source TEP.

US Pat. No. 10,397,113

METHOD OF IDENTIFYING INTERNAL DESTINATIONS OF NETWORK PACKETS AND AN APPARATUS THEREOF

Cavium, LLC, Santa Clara...

1. A method of implementing a network chip, comprising:receiving a packet through an ingress chip port of the network chip, wherein the packet enters the network chip from outside the network chip through the ingress chip port;
identifying a unique packet identifier of the packet;
forming a token; and
determining a destination to send the token to based on at least two factors, wherein one of the at least two factors is a network chip port number of the ingress chip port indicating where the packet entered the network chip from outside of the network chip and another one of the factors is the unique packet identifier.